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Assistant Commissioner for Patents 
Washington, D.C. 20231 



PETITION FOR PATENT APPLICATION 
FILING UNDER 37 CFR 1.47(a) 



Dear Sir: 



RECEIVED 

JUL 0 1 2002 
OFFICE OF PETITIONS 



Applicant petitions for the filing of the present patent application in light of an inventor, 
Daniel J. Melchione, who refuses to sign or cannot be reached pursuant to 37 CFR 1.47(a). 

Mr. Melchione is named as a joint inventor on the above-identified patent application 
("Patent Application"). A copy of a Filing Receipt mailed on February 25, 2002, is provided at 
Exhibit 1. At the request of Applicant's representative, the Filing Receipt was withdrawn on 
May 8, 2002, a copy of which is provided at Exhibit 2. Copies of a substitute Filing Receipt 
dated May 8, 2002, and Notice of File Missing Parts of Nonprovisional Application are provided 
at Exhibits. Mr. Melchione has refused to sign the application papers despite reasonable efforts 
to contact him and secure his signature. 

The patent application is a conversion of U.S. provisional patent application Serial No. 
60/309,835, filed August 3, 2001. The Filing Receipt for the provisional patent application, 
listing Daniel J. Melchione as an applicant, is provided at Exhibit 4. Mr. Melchione assigned 
over all rights, title and interest in the provisional patent application to his former employer 
Networks Associates Technology, Inc. ("Networks Associates"), the assignee of the Patent 

06/28/2002 AUONDftFl 00000038 10056702 

02 FC:122 130.00 OP 



Application, oi 




2, 2001 (Exhibit 5). Thus, Networks Associates owns all rights, title and 
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interest in the subject matter of the provisional patent application vis-a-vis Mr. Melchione. 



No. 60/309,858, filed August 3, 2001. The Filing Receipt for the provisional patent application, 
listing Daniel J. Melchione as an applicant, is provided at Exhibit 6. Mr. Melchione assigned 
over all rights, title and interest in the provisional patent application to Networks Associates, the 
assignee of the Patent Application, on August 2, 2001 (Exhibit 7). Thus, Networks Associates 
owns all rights, title and interest in the subject matter of the provisional patent application vis-a- 
vis Mr. Melchione. 

As well, Mr. Melchione is subject to an obligation to assign the Patent Application to his 
former employer, Networks Associates. As a condition of employment with Networks 
Associates, he signed an "Employee Inventions and Proprietary Rights Assignment Agreement" 
("Employee Agreement"), dated April 24, 2000 (Exhibit 8). In his Employee Agreement, Mr. 
Melchione agreed to "assign and agree to assign to the Company [Networks Associates] . . . [his] 
entire right, title and interest in and to all inventions and any associated intellectual property 
rights which [he] may solely or jointly conceive, develop or reduce to practice during the period 
of [his] employment" and to execute documents and assist and cooperate in the registration and 
enforcement of applicable patents. Further, according to the terms of the Employee Agreement, 
Mr. Melchione agreed that if "the Company is unable for any reason to secure my signature to 
any document required to apply for or execute any patent . . . [he] hereby irrevocably designate^] 
and appoints] the Company and its duly authorized officers and agents as my agents and 
attorneys-in-fact to act for and on my behalf and instead of me, to execute and file any such 
application and to do all other lawfully permitted acts to further the prosecution and issuance of 
patents . . . with the same legal force and effect as if executed by me." As an agent of Networks 
Associates, Applicant's representative asserts Networks Associates' designation and appointment 
to act on behalf of Mr. Melchione to execute and file the Patent Application. 

In addition, Applicant's representative has undertaken reasonable efforts to contact Mr. 
Melchione and secure his signature. Mr. Melchione left the employ of Networks Associates 
around August 5, 2001 and has not been in contact with either the Applicant or Applicant's 
representative. Applicant was therefore unable to directly obtain Mr. Melchione' s signature on 



The patent application is also a conversion of U.S. provisional patent application Serial 



an Oath or 




iti0rtor the Patent Application. A declaration by Applicant's representative's 
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paralegal, Casey Leichter, is provided at Exhibit 9, in support of the efforts undertaken to contact 
Mr. Melchione. On December 21, 2001, Applicant's representative mailed the following 
documents (" Documents") to Mr. Melchione via Certified Mail with Return Receipt Requested 
and by First Class Mail: (1) U.S. Patent Application entitled, "System And Method For Providing 
A Framework For Network Appliance Management In A Distributed Computing Environment"; 
(2) Declaration and Power of Attorney; (3) Assignment; and (4) cover letter from the Law 
Offices of Patrick J.S. Inouye, dated December 21, 2001 (Exhibit 10). Copies of the Certificate 
of Mailing and Certified Mail Receipt are provided at Exhibit 11. Around January 31, 2002, the 
Certified Mailing Document Set was returned as unclaimed. A copy of the envelope for the 
Certified Mailing Document Set, indicating the reason for return, is provided at Exhibit 12. A 
copy of the partially-signed Declaration requiring Mr. Melchione's signature is provided at 



Accordingly, in light of assignments of the subject matter disclosed in the related 
provisional patent applications, Mr. Melchione's obligation to assign, and the reasonable efforts 
undertaken by Applicant's representative, Applicant requests the grant of this Petition for the 
filing of the Patent Application in light of the refusal of Mr. Melchione to sign the application 
papers. A petition fee of $130.00 is enclosed. Please contact the undersigned at (206) 381-3900 
regarding any questions or concerns associated with the present matter. 



Exhibit 13. 




Respectfully submitted, 



Dated: June 17, 2002 



The Law Offices of Patrick J.S. Inouye 



810 3 rd Avenue, Suite 258 
Seattle, WA 98104 




Telephone: (206)381-3900 
Facsimile: (206)381-3999 
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United States Patent and Trademark Office 



Commissioner for Patents 
United States Patent and Trademark Office 

Washington. D.C. 20231 
www.uspto.gov 



APPLICATION NUMBER | FILING DATE | GRP ART UNIT | FIL FEE REC'D | ATTY.DOCKET.NO| DRAWINGS | TOT CLAIMS j 1ND CLAIMS [ 
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810 Third Avenue 

Seattle, WA 981 04 




CONFIRMATION NO. 2048 
FILING RECEIPT 

i ii i! ii. mil ir mil pin in hi i ii in in i ii 



'OC000000007527792* 



Date Mailed: 02/25/2002 



Receipt is acknowledged of this nonprovisional Patent Application. It will be considered in its order and you will be 
notified as to the results of the examination. Be sure to provide the U.S. APPLICATION NUMBER, FILING DATE, 
NAME OF APPLICANT, and TITLE OF INVENTION when inquiring about this application. Fees transmitted by 
check or draft are subject to collection. Please verify the accuracy of the data presented on this receipt. If an 
error is noted on this Filing Receipt, please write to the Office of Initial Patent Examination's Customer 
Service Center. Please provide a copy of this Filing Receipt with the changes noted thereon. If you 
received a "Notice to File Missing Parts" for this application, please submit any corrections to this Filing 
Receipt with your reply to the Notice. When the USPTO processes the reply to the Notice, the USPTO will 
generate another Filing Receipt incorporating the requested corrections (if appropriate). 

Applicant(s) 

Victor Kouznetsov, Aloha, OR; 
Michael Chin-Hwan Pak, Portland, OR; 
Daniel J. Melchione, Beaverton, OR; 
Ian Shaughnessy, Portland, OR; 

Domestic Priority data as claimed by applicant 

THIS APPLN CLAIMS BENEFIT OF 60/309,835 08/03/2001 
AND CLAIMS BENEFIT OF 60/309,858 08/03/2001 

Foreign Applications 



If Required, Foreign Filing License Granted 02/25/2002 

Projected Publication Date: Request for Non-Publication Acknowledged 
Non-Publication Request: Yes 
Early Publication Request: No 



Title 



System and method for providing a framework for network appliance management in a distributed 
computing environment 
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. reliminary Class 

707 



LICENSE FOR FOREIGN FILING UNDER 
Title 35, United States Code, Section 184 
Title 37, Code of Federal Regulations, 5.11 & 5.15 

GRANTED 

The applicant has been granted a license under 35 U.S.C. 184, if the phrase "IF REQUIRED, FOREIGN FILING 
LICENSE GRANTED" followed by a date appears on this form. Such licenses are issued in all' applications where 
the conditions for issuance of a license have been met, regardless of whether or not a license may be required as 
set forth in 37 CFR 5.1 5. The scope and limitations of this license are set forth in 37 CFR 5.1 5(a) unless an earlier 
license has been issued under 37 CFR 5.15(b). The license is subject to revocation upon written notification. The 
date indicated is the effective date of the license, unless an earlier license of similar scope has been granted 
under 37 CFR 5.13 or 5.14. 

This license is to be retained by the licensee and may be used at any time on or after the effective date thereof 
unless it is revoked. This license is automatically transferred to any related applications(s) filed under 37 CFR 
1 .53(d). This license is not retroactive. 

The grant of a license does not in any way lessen the responsibility of a licensee for the security of the subject 
matter as imposed by any Government contract or the provisions of existing laws relating to espionage and the 
national security or the export of technical data. Licensees should apprise themselves of current regulations 
especially with respect to certain countries, of other agencies, particularly the Office of Defense Trade Controls, 
Department of State (with respect to Arms, Munitions and Implements of War (22 CFR 121-128)); the Office of 
Export Administration, Department of Commerce (15 CFR 370.10 (j)); the Office of Foreign Assets Control 
Department of Treasury (31 CFR Parts 500+) and the Department of Energy. 

NOT GRANTED 

No license under 35 U.S.C. 184 has been granted at this time, if the phrase "IF REQUIRED, FOREIGN FILING 
LICENSE GRANTED" DOES NOT appear on this form. Applicant may still petition for a license under 37 CFR 
5.12, if a license is desired before the expiration of 6 months from the filing date of the application. If 6 months 
has lapsed from the filing date of this application and the licensee has not received any indication of a secrecy 
order under 35 U.S.C. 1 81 , the licensee may foreign file the application pursuant to 37 CFR 5.1 5(b). 
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United States Patent and Trademark Office 



Commissioner for Patents 
United States Patent and Trademark Office 

WASHINGTON, D.C. 20231 

www.uspto.gov 



APPLICATION NUMBER 



FILING DATE 



FIRST NAMED APPLICANT 



ATTY. DOCKET NO./TITLE 



J 



10/056,702 



22895 

PATRICK J S INOUYE P S 
810 3RD AVENUE 
SUITE 258 

SEATTLE, WA 98104 



01/25/2002 




Victor Kouznetsov 



002.0230.01 



CONFIRMATION NO. 2048 
WITHDRAWAL NOTICE 

IMIHIiliniHllllHll 



•OC0000000080591 82* 



Date Mailed: 05/08/2002 



withdrawal of previously sent notice 

The Notice mailed on 02/25/2002 was sent in error and is hereby withdrawn. A corrected Notice is enclosed The 
time period for reply runs from the mail date of the corrected Notice. We apologize for any inconvenience this 
caused. 



A copy of this notice MUST be returned with the reply. 



Customer Service Center 
Initial Patent Examination Division (703) 308-1202 

PART 1 - ATTORNEY/APPLICANT COPY 
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United States Patent and Trademark Office 



Commissioner for Patents 
United States Patent and Trademark Office 
washington, d.c. 20231 
www.uspto.gov 



APPLICATION NUMBER 

10/056,702 



I I I ■ wvyw.U5piO.go v 

| FILING DATE | GRP ART UNIT | FIL FEE RECD |ATTV.DOCKET.NO| DRAWINGS | TOT CLAIMS | IND CLAIMS I 
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Date Mailed: 05/08/2002 



Receipt is acknowledged of this nonprovisional Patent Application. It will be considered in its order and you will be 
notified as to the results of the examination. Be sure to provide the U.S. APPLICATION NUMBER FILING DATE 
NAME OF APPLICANT, and TITLE OF INVENTION when inquiring about this application Fees transmitted I by 
check or draft are subject to collection. Please verify the accuracy of the data presented on this receipt If an 
error is noted on this Filing Receipt, please write to the Office of Initial Patent Examination's Filing 
Receipt Corrections, facsimile number 703-746-9195. Please provide a copy of this Filing Receipt with the 
changes noted thereon If you received a "Notice to File Missing Parts" for this application, please submit 

♦ n ^ C0 M e * Ct '°?K t0 . 5™" ng ReC6ipt With your re P'y to the Notice " Whe " the us PTO processes the reply 
to the Notice, the USPTO will generate another Filing Receipt incorporating the requested corrections (if 
appropriate). 1 



Applicant(s) 

Victor Kouznetsov, Aloha, OR; 
Michael Chin-Hwan Pak, Portland, OR; 
Daniel J. Melchione, Beaverton, OR; 
Ian Shaughnessy, Portland, OR; 



Domestic Priority data as claimed by applicant 

THIS APPLN CLAIMS BENEFIT OF 60/309,835 08/03/2001 
AND CLAIMS BENEFIT OF 60/309,858 08/03/2001 

Foreign Applications 

If Required, Foreign Filing License Granted 02/25/2002 

Projected Publication Date: Request for Non-Publication Acknowledged 

Non-Publication Request: Yes 

Early Publication Request: No 



Title 

System and method for providing a framework for network appliance management in a distributed 
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computing environment 



Preliminary Class 

707 



LICENSE FOR FOREIGN FILING UNDER 
Title 35, United States Code, Section 184 
Title 37, Code of Federal Regulations, 5.11 & 5.15 



GRANTED 



MPpSS rSn 8 rant 5! a hC f1 Se Und6r 35 U S C - 184 ' if the P nrase " ,F REQUIRED, FOREIGN FILING 
♦u I • « D followed bv a date appears on this form. Such licenses are issued in all applications where 
the conditions for issuance of a license have been met, regardless of whether or not a license may be required as 
set torth in 37 CFR 5.15. The scope and limitations of this license are set forth in 37 CFR 5.15(a) unless an earlier 
license nas been issued under 37 CFR 5.15(b). The license is subject to revocation upon written notification. The 
date indicated is the effective date of the license, unless an earlier license of similar scope has been granted 
under 37 CFR 5.13 or 5.14. 

This license is to be retained by the licensee and may be used at any time on or after the effective date thereof 

rJo^ -ru reVOked - ThlS llCense is automatically transferred to any related applications® filed under 37 CFR 
1 .53(d). This license is not retroactive. 

The grant of a license does not in any way lessen the responsibility of a licensee for the security of the subject 
matter as imposed by any Government contract or the provisions of existing laws relating to espionage and the 
nationa security or the export of technical data. Licensees should apprise themselves of current regulations 
especially with respect to certain countries, of other agencies, particularly the Office of Defense Trade Controls 
Department of State (with respect to Arms, Munitions and Implements of War (22 CFR 121-128))- the Office of 
Export Administration, Department of Commerce (15 CFR 370.10 ©); the Office of Foreign Assets Control 
Department of Treasury (31 CFR Parts 500+) and the Department of Energy. 

NOT GRANTED 

HrF^QC^rDfiWTC^^ivJcc b6en 9ranted atthis time> if the P hrase " IF REQUIRED, FOREIGN FILING 

c ?o •? .• -P ? 0ES NOT appear on this form. Applicant may still petition for a license under 37 CFR 
5.12 if a hcense is desired before the expiration of 6 months from the filing date of the application. If 6 months 
has lapsed from the filing date of this application and the licensee has not received any indication of a secrecy 
order under 35 U.S.C. 1 81 , the licensee may foreign file the application pursuant to 37 CFR 5 1 5(b) 
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United States Patent and Trademark Office 



Commissioner for Patents 
United States Patent and Trademark Office 
Washington, d.C. 20231 
www.uspto.gov 



APPLICATION NUMBER 



FILING/RECEIPT DATE 



FIRST NAMED APPLICANT | ATTORNEY DOCKET NUMBER [ 



10/056,702 



22895 

PATRICK J S INOUYE P S 
810 3RD AVENUE 
SUITE 258 

SEATTLE, WA 98104 




Victor Kouznetsov 



002.0230.01 



CONFIRMATION NO. 2048 
FORMALITIES LETTER 



•OC000000008059226* 



Date Mailed: 05/08/2002 

NOTICE TO FILE MISSING PARTS OF NONPROVISIONAL APPLICATION 

FILED UNDER 37 CFR 1.53(b) 
Filing Date Granted 

Items Required To Avoid Abandonment: 

An application number and filing date have been accorded to this application. The itemfe) indicated below 
however, are missing. Applicant is given TWO MONTHS from the date of this Notice within which to file all 
required items and pay any fees required below to avoid abandonment. Extensions of time may be obtained by 
filing a petition accompanied by the extension fee under the provisions of 37 CFR 1 .136(a). 

• The signature of the following inventor(s) is missing from the oath or declaration- 
Daniel J. Melchione 

• To avoid abandonment, a late filing fee or oath or declaration surcharge as set forth in 37 CFR 1 16(1) of 
$1 30 for a non-small entity, must be submitted with the missing items identified in this letter. 

Items Required To Avoid Processing Delays: 

The item(s) indicated below are also required and should be submitted with any reply to this notice to avoid 
further processing delays. 

SUMMARY OF FEES DUE: 

Total additional fee(s) required for this application is $130 for a Large Entity 

• $130 Late oath or declaration Surcharge. 



A copy of this notice MUST be returned with the reply. 
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Patrick J.S. Inouye, Esq. 
The Law Offices of Patrick J.S. Inouye 
Suite 258 
810 Third Avenue 
Seattle, WA98104 



Date Mailed: 09/04/2001 

Receipt is acknowledged of this provisional Patent Application. It will not be examined for patentability and will 
?,? ?^™ bi t ndoned not later than t^ 65 months after its fill 'ng date. Be sure to provide the U S APPLICATION 
NUMBER, FILING DATE, NAME OF APPLICANT, and TITLE OF INVENTION when inquiring abou\ this 
appl.cat.on. Fees transmitted by check or draft are subject to collection. Please verify the accuracy of the data 

pSI 0 " !- re ' e '? V" er o r "? n ° t6d °" this Fili "9 " ece 'P*> Please write to the Office of Initial 
Patent Examination's Customer Service Center. Please provide a copy of this Filing Receipt with the 
changes noted thereon. If you received a "Notice to File Missing Parts" for this application, please submit 
any corrections to this Filing Receipt with your reply to the Notice. When the USPTO processes the reply 
to the Notice, the USPTO will generate another Filing Receipt incorporating the requested corrections (if 
a p p ro p n 3 is j . 

Applicant(s) 

Victor Kouznetsov, Aloha, OR; y 
Daniel J. Melchione, Beaverton, OR; ^ 
Michael Chin-Hwan Pak, Portland, OR; ^ 
Nicholas C.W. Hogle, Portland, OR; ^ 
Ian Shaughnessy. Portland, OR; 

If Required, Foreign Filing License Granted 09/03/2001 
Projected Publication Date: N/A 
Non-Publication Request: No 
Early Publication Request: No 



Title 



Secure network appliance configuration and management framework 



Data entry by : VAN, VICTORIA Team : OIPE Date: 09/04/2001 

n ii i i i i i i ii j 1 1 1 if ii ii 1 1 1 i n 1 1 hi ii n j i n 1 1 ii ii ii 
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LICENSE FOR FOREIGN FILING UNDER 
Title 35, United States Code, Section 184 
Title 37, Code of Federal Regulations, 5.11 & 5.15 



GRANTED 



mAnS rSiSiS- 8 ! f A a llCer r Undei " 35 U u S C - 184 ' if the P hrase " IF REQUIRED, FOREIGN FILING 
Sr f E ° f0 " 0We d ? y 3 da u ap 1 earS ° n thiS f0rm - Such licenses are issue d in all applications where 

forth n°. n 7 ?pp ? U i a <?Th° f 3 " Cen$e J 13 " 6 . m f ' regardless of whether or not a ,icense -A be required as 
set forth in 37 CFR 5.15. The scope and limitations of this license are set forth in 37 CFR 5.15(a) unless an earlier 

hcense has been issued under 37 CFR 5.15(b). The license is subject to revocation upon written notification The 
t^ZJ^S^lrfiT' 6 ° f liCenSe ' Unl6SS ™ ' iCenSe ° f Similar SCOpe nas been 9 ranted 

This license is to be retained by the licensee and may be used at any time on or after the effective date thereof 

rJo/5x J! reV0ked - Th,s license is automatica l>y transferred to any related applications(s) filed under 37 CFR 
1.53(d). This license is not retroactive. 

The grant of a license does not in any way lessen the responsibility of a licensee for the security of the subject 
matter as imposed by any Government contract or the provisions of existing laws relating to espionage and the 
national security or the export of technical data. Licensees should apprise themselves of current regulations 
especially with respect to certain countries, of other agencies, particularly the Office of Defense Trade Controls 
Department of State (with respect to Arms, Munitions and Implements of War (22 CFR 121-128))- the Office of 
Export Administration, Department of Commerce (15 CFR 370.10 (j)); the Office of Foreign Assets Control 
Department of Treasury (31 CFR Parts 500+) and the Department of Energy. 

NOT GRANTED 

No license under 35 U.S.C. 184 has been granted at this time, if the phrase "IF REQUIRED FOREIGN FILING 
LICENSE GRANTED" DOES NOT appear on this form. Applicant may still petition for a license under 37 CFR 
5.12, if a license is desired before the expiration of 6 months from the filing date of the application If 6 months 
has lapsed from the filing date of this application and the licensee has not received any indication of a secrecy 
order under 35 U.S.C. 181, the licensee may foreign file the application pursuant to 37 CFR 5.15(b). 

PLEASE NOTE the following information about the Filing Receipt: 

• The articles such as "a," "an" and "the" are not included as the first words in the title of an application. 
They are considered to be unnecessary to the understanding of the title. 

• The words "new," "improved," "improvements in" or "relating to" are not included as first words in the. 
title of an application because a patent application, by nature, is a new idea or improvement. 

• The title may be truncated if it consists of more than 500 characters (letters and spaces combined). 

• The docket number allows a maximum of 25 characters. 

• If your application was submitted under 37 CFR 1.10, your filing date should be the "date in" found on the 
Express Mail label. If there is a discrepancy, you should submit a request for a corrected Filing Receipt 
along with a copy of the Express Mail label showing the "date in." 

• The title is recorded in sentence case. 

Any corrections that may need to be done to your Filing Receipt should be directed to: 

Assistant Commissioner for Patents 
Office of Initial Patent Examination 
Customer Service Center 
Washington, DC 20231 



Form PTO-1595 
(Rev. 03/01) 

OMB No. 0651-0027 (exp. 5/31/2002) 
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RECORDATION FORM COVER SHEET 

PATENTS ONLY 



U.S. DEPARTMENT OF COMMERCE 
U.S. Patent and Trademark Office 



To the honorable Commissioner 



1. Name of conveying party(ies): 
Victor Kouznetsov 
Daniel J. Melchione 
Michael Chin-Hwan Pak 
Nicholas C. W. Hogle 
Ian Shaughnessy 

Additional name(s) of conveying partyfies) attached? 




(arts: Please record the attached original documents or copy thereof. 



3. Nature of conveyance: 

fx] Assignment Q Merger 

n Security Agreement Q Change of Name 
Q Other t 



Execution Date: 



2. Name and address of receiving party(ies) 
Name: Networks Associates Technology.. Inc. 
Internal Address: 



Street Address: 3965 Freedom C\rc.\* 



City: Santa Clara State: CA Zi fj; 95Q54 

Additional name(s) & address(es) attached? (_] Yes □ No 



4. Application number(s) or patent number(s): 

If this document is being filed together with a new application, the execution date of the application is: 
Patent Application No.(s) 60/309,835 B. Patent No.(s) 



A. 



ArMirinnal numbers artanhfiri? \~] Yps [X_ 



5. Name and address of party to whom correspondence 
concerning document should be mailed: 

Name : Patrick J.S. Inouve. Esq. 

Law Offices of Patrick J.S. Inouve , 



Internal Address: 



22895 

PATENT TRADEMARK OFFICE 



Street Address: 810 Third Avenue 
Suite 258 



City: Seattle State: WA Zip: 98104 



6. Total number of applications and patents 
involved: 



7. Total fee (37CFR3.41) 40 

|Y| Enclosed 

I | Authorized to be charged to deposit account 



8. Deposit account number: 
501144 



(Attach duplicate copy of this page if paying by deposit account) 



DO NOT USE THIS SPACE 



9. Statement and signature. 

To the best of my knowledge and belief, the foregoin&information is true and correct and any attached copy 
Is a true copy of the original document 4 " 



Patrick J.S. Inouve. Esq. 



NOV 1 2001 



Name of Person Signing ' ./' 'Signature 

Total number of pages including cover sheet, attac nments, and documents: fTI 



Date 



Washington, D.C 20231 



Mail documents to be recorded with required cover sheet information to: 
Commissioner of Patents & Trademarks, Box Assignments 



JOINT ASSIGNMENT 



r w u ; c ^ ' y ° r ^ ouznets ° v ' Damd 1 MeIcIuone > Michael Chin-Hwan Pak, Nicholas 

C.W. Hogle and Ian Shaughnessy (hereinafter ASSIGNORS"), citizens of Russia, USA USA and USA 
respectively, residing at; 20287 S W Tremont Way. Aloha. Oregon 97007- 10380 SW 
Beaverton. Oregon 97007. 15894 NW Andalusia n Wav. Portia, QR 972 29 3017 NE Knott Portia OR 

971212. and 1030 NW Johnson. Unit 219. Portland. OR _£7209jespectively; are the inventors of the 

invention m '"Secure Network Appliance Configuration and Management Framework," for which we have 
executed a provisional patent application with the U.S. Patent and Trademark Office of the United States 

[El which is executed on even date herewith 

HI which is identified by THE LAW OFFICES OF PATRICK J.S. INOUYE as attorney docket no 
0020229.01 

a which was filed on Augusts. 2001 . Application No. 60/309.835 

and WHEREAS, Networks Associates Technology, Inc. (hereinafter "ASSIGNEE"), a Delaware 
Corporation having a business address at 3965 Freedom Circle, Santa Clara CA 95054, is desirous of 
obtaining our entire right, title and interest in, to and under the said invention and the said application: 

NOW, THEREFORE, in exchange for good and valuable consideration, the receipt of which is 
hereby acknowledged, we, the said ASSIGNORS, have sold, assigned, transferred and set over, and by these 
presents do hereby sell, assign, transfer and set over, unto the said ASSIGNEE, its successors, legal 
representatives and assigns, our entire right, title and interest in, to and under the said invention, and the said 
United States provisional patent application and all conversions, divisions, renewals and continuations 
thereof, and all Patents of the United States which may be granted thereon and all reissues and extensions 
thereof; and all applications for industrial property protection, including, without limitation, all applications 
for patents, utility models, and designs which may hereafter be filed for said invention in any country or 
countries foreign to the United States, together with the right to file such applications and the right to claim 
for the same the priority rights derived from said United States application under the Patent Laws of the 
United States, the International Convention for the Protection of Industrial Property, or any other 
international agreement or the domestic laws of the country in which any such application is filed, as may be 
applicable; and all forms of industrial property protection, including, without limitation, patents, utility 
models, inventors' certificates and designs which may be granted for said invention in any country or 
countries foreign to the United States and all extensions, renewals and reissues thereof; 

AND WE HEREBY authorize and request the Director of the United States Patent and Trademark 
Office, and any Official of any country or countries foreign to the United States, whose duty it is to issue 
patents or other evidence or forms of industrial property protection on applications as aforesaid, to issue the 
same to the said ASSIGNEE, its successors, legal representatives and assigns, in accordance with the terms 
of this instrument. 

AND WE HEREBY covenant and agree that we have the full right to convey the entire interest 
herein assigned, and that we have not executed, and will not execute, any agreement in conflict herewith. 

AND WE HEREBY further covenant and agree that we will communicate to the said ASSIGNEE, 
its successors, legal representatives and assigns, any facts known to us respecting said invention, and testify 
in any legal proceeding, sign all lawful papers, execute all divisional, continuing, reissue and foreign 
applications, make all rightful oaths, and generally do everything possible to aid the said ASSIGNEE, its 
successors, legal representatives and assigns, to obtain and enforce proper protection for said invention in all 
countries. In the event that one or more of the above inventors is not an employee of ASSIGNEE at the 
time such aid is required, they agree to render such aid in return for an hourly rate of pay no greater than 
twice their equivalent regular hourly pay as it stood on the date of their departure from ASSIGNEE. 



IN TESTIMONY WHEREOF, We hereunto set.our hands and seals the day and year set oooosite 
our respective signatures. J • ycar set opposite 

• * > ' .x 

.... , — 



Date Qc j o Ue^ j [ 



2001 




/ I 

In the Siate of UkJtiiW 

me, "Id k Wyt&fJ . Tfm^jnf 



Victor Kouznetsov 



,™«jy°f U "jil^UdA^MjLML before 



, Notary Public, personally appeared Victor 



Kouznetsov personally known to me/proved to me on the basis of satisfactory evidence to be the person 
whose name is subscribed to the within instrument and acknowledged to me that he executed tlS same in hi, 
aut onzed capacity and that by his signature on the instrument the person, ^"^Tot 
which the person acted, executed the instrument. <^ 

WITNESS my hand and official seal 



L 





OFFICIAL SEAL 
RITA MARIE JIMENEZ 

NOTARY PUBLIC-OREGON 
COMMISSION NO. 3l826t 
MY COMMISSION EXPIRES NOV. 22. 2002 



Date 



_,2001 




Notary Public 

/7 



Daniel J. Melchfone 



& -rz — 



^g^ffV T nty ° f t^^lnCiW) onflurffrftffit^ before 
-bfeLli f(r\f NotaryPublic, personallkippeare3 Daniel J. 

IV known to me/nrnvp/l tn mo nn tVio „<• ii-r-..^. • i . . 



In the State % of Of 

rcf'i ( MfafS , ■, ,■<, v • ■ >. ■ . v| • ruouc, personailyy&ppeared Daniel J 

Melchione, personklly known to me/proved to me on the basis of satisfactory evidence to be the person 
whose name is subscribed to the within instrument and acknowledged to me that he executed the same in his 
authorized capacity, and that by his signature on the instrument the person, or the entity upon behalf of 
which the person acted, executed the instrument. 



WITNESS my hand and official seal 




OFFICIAL SEAL 
MARY ELIEM GARY 

NOTARY PUBLIC-OREGON 
COMMISSION NO. 322505 
MY COMMISSION EfflRES MAY 7. 2003 



Notacy Public " \ 



Dat e ClZA. 



2001 




Michael Chin-Hwan Pak 
In the State of t KlA^ county of l\X&kincj?o^ 

me ' iMrMJEl rmhj [V UO. n 5 Notary Public, personally appeared Michael Chin-Hwan 



on 



, before 



Pak, personally known t6 me/proved to me on the basis of satisfactory evidence to be the person whose 
name is subscribed to the within instrument and acknowledged to me that he executed the same in his 
authorized capacity, and that by his signature on the instrument the person, or the entity upon behalf of 
which the person acted, executed the instrument. - * 1 , 

SflARGABST MARY NEVAMS to Q Notary Public J 

NOTARY PUBUC-OREG0N (fl ■ 
COMMISSION NO. 345295 to 
^i-^^^^^3y^^^ N EXPIRES AFRJL 26, 2005 jL 




Date ,2001 

Nicholas C.W. Hogk 



In the State of , county of 



. on , before 



S 6 ' 1 77—, ~, ; Notary Public, personally appeared Nicholas C W 

Hogle, personally known to me/proved to me on the basis of satisfactory evidence to be the pe on whose 
name is subscribed to the withm instrument and acknowledged to me that he executed the sS 
author zed capacity and that by his signature on the instrument the person, or the entity upon behalf of 
which the person acted, executed the instrument. 



WITNESS my hand and official seal 



Notary Public 



Dat e 1(VQ~Q\ ,2001 

laughnessy 




111 *Wi ft L^lW 0 , > ° f ^K\^j W) on jMsAm - before 

me ' H^^pfflE^- Notary Public! personally appetecf^n Shaughnes y, 

p^^Hy^Wme/pr'Sved tcrtne on the basis of satisfactory evidence to be the person whose name is 
subscribed to the within instrument and acknowledged to me that he executed the same in his authorized 
capacity, and that by his signature on the instrument the person, or the entity upon behalf of which the 
person acted, executed the instrument. _ 

WITNESS my hand and official seal \ ) l^LLufi f (- A^ i jQ j 1 il 

~ Notary Public V" ^ 




OFFICIAL SEAL 

mary mm GARY 

NOTARY PUBLIC-OREGON 
COMMISSION NO. 322505 
MY COMMISSION EXFIRES MAY 7, ?C03 
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Date Mailed: 09/04/2001 

Receipt is acknowledged of this provisional Patent Application. It will not be examined for patentability and will 

Patent Exammat.on's Customer Service Center. Please provide a copy of this F Hnc , ReeeS with hJ 
changes noted thereon. If you received a "Notice to File Missing Parts" for this appHcation ^ 
S h c X? °? h t0 1 I5 l D S T F " in ?, ReCeipt Wlth y° ur re P'y to the N <*«. When the ulpTO p oces^s The reply 
appropriate?' W 9enerate an ° th6r R,ing ReC6ipt incor ^^ the requested corrections (ff 



Applicant(s) 



Davide Libenzi, Hillsboro, OR; ' 
Daniel J. Melchione, Beaverton, OR; y 



If Required, Foreign Filing License Granted 09/01/2001 
Projected Publication Date: N/A 
Non-Publication Request: No 
Early Publication Request: No 



Title 



System and method for performing efficient anti-virus screening of transient messaqes at a 
network gateway ^ 



Data entry by : MANALAC, AMELIA Team : OIPE Date: 09/04/2001 
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LICENSE FOR FOREIGN FILING UNDER 
Title 35, United States Code, Section 184 
Title 37, Code of Federal Regulations, 5.11 & 5.15 



GRANTED 



The applicant has been granted a license under 35 U.S.C. 184, if the phrase "IF RFQiiiRFn forpipm en ,ki^ 

SSSST 60 " f0 " 0W f ed ? Y 3 ^i 6 aPP K 6arS 00 thiS f ° rm - Suchlicense 6 are ^KiS^ 

2J forth ? r°p r i S JT C T,° f 3 " CenSe ?? Ve been met ' re 9 a ^less of whether or not a license may be reared as 

^T^n^^^ms^Z °r th, ' S ,iCenS \ are S6t f ° rth in 37 CFR 5 - 15 ^ ^s "n eadifr 
ucense nas been issued under 37 CFR 5.15(b). The license is subject to revocation upon written notification The 

SSraylSS?^* ° f ^ ' iCenSe " ^ ™ ^ ° f Similar scTpfhas been Ranted 

This license is to be retained by the licensee and may be used at any time on or after the effective date thereof 

The grant of a license does not in any way lessen the responsibility of a licensee for the security of the subject 
matter as imposed by any Government contract or the provisions of existing laws relating to espionage and the 
nationa security or the export of technical data. Licensees should apprise themselves of cufrent ?egu lations 
especially with respect to certain countries, of other agencies, particularly the Office of Defense Trade Controls 
Department of State (with respect to Arms, Munitions and Implements of War (22 CFR 121-128H- the Office of 
Export Administration, Department of Commerce (15 CFR 370.10 0)); the Office of Foreign Assets Control 
Department of Treasury (31 CFR Parts 500+) and the Department of Energy 9 ' 

NOT GRANTED 

!^™SV U ramto^mq n^t* ^ ° Ta S d ? MS *™ ' if the phraSe " ,F SQUIRED, FOREIGN FILING 
LICENSE GRANTED DOES NOT appear on this form. Applicant may still petition for a license under 37 CFR 
5.12 if a license is desired before the expiration of 6 months from the filing date of the application If 6 months 
has lapsed from the filing date of this application and the licensee has not received any indication of a secrecy 
order under 35 U.S.C. 181 , the licensee may foreign file the application pursuant to 37 CFR 5.15(b). 

PLEASE NOTE the following information about the Filing Receipt: 

• The articles such as "a," "an" and "the" are not included as the first words in the title of an application 
They are considered to be unnecessary to the understanding of the title. 

• The words "new," "improved," "improvements in" or "relating to" are not included as first words in the 
title of an application because a patent application, by nature, is a new idea or improvement. 

• The title may be truncated if it consists of more than 500 characters (letters and spaces combined). 

• The docket number allows a maximum of 25 characters. 

• If your application was submitted under 37 CFR 1.10, your filing date should be the "date in" found on the 
Express Mail label. If there is a discrepancy, you should submit a request for a corrected Filing Receipt 
along with a copy of the Express Mail label showing the "date in." 

• The title is recorded in sentence case. 

Any corrections that may need to be done to your Filing Receipt should be directed to: 

Assistant Commissioner for Patents 
Office of Initial Patent Examination 
Customer Service Center 
Washington, DC 20231 
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Please record the attached original documents or copy thereof. 



1 . Name of conveying party(ies): 
Davide Libenzi 
Daniel J. Melchione 



Additional name(s) of conveying party(ies) attached? 



3. Nature of conveyance: 

fx] Assignment j~| Merger 

n Security Agreement Q Change of Name 

fl Other 

Execution Date: 



2. Name and address of receiving party(ies) 
Name: Networks Associates Technology. Inc. 
Internal Address: 



Street Address: 3965 Freedom Circle 



City: Santa Clara State: CA 

Additional name(s) & address(es) attached? Q Yes □ No 



Z b:95Q54 



4. Application number(s) or patent number(s): 

If this document is being filed together with a new application, the execution date of the application is: 
A. Patent Application No. (s) 60/309,858 B. Patent No,(s) 

Additional numhfirs attarhfiri? No 



5. Name and address of party to whom correspondence 
concerning document should be mailed: 

Name : Patrick J.S. Inouve. Esq. 

Law Offices of Patrick J.S. Inouve 



Internal Address: 
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" PATENT TRADEMARK OFFICE- 



Street Address: 810 Third Avenue 
Suite 258 



City: Seattle State: WA Zip: 98104 



6, Total number of applications and patents 
involved: 



7. Total fee (37 CFR 3.41 ) $40 
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I | Authorized to be charged to deposit account 



8. Deposit account number: 
501144 



(Attach duplicate copy of this page if paying by deposit account) 
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To the best of my knowledge and belief, the 
Is a true copy of the original document 

Patrick J.S. Inouve. Esq. 
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Name of Person Signing If SignatuW 

Total number of pages including cover sheet, attachments, and documents: fal 



Date 



Washington, D.C 20231 



Mail documents to be recorded with required cover sheet information to: 
Commissioner of Patents & Trademarks, Box Assignments 



JOINT ASSIGNMENT 



f » , ^ ? 71 i b£nZ1 and Daniel L Melchione > (hereinafter "ASSIGNORS"), citizens 

W^ eSldm f^f Hillshoro Oregan97124 and 10380 

! a / J p p ^ respectively; are the inventors of the invention in «Syslem~" 

And Method For Performing Efficient Anti-Virus Screening Of Transient Messages At A Network 
Gateway, for which we have executed an application for a Patent of the United States 

□ which is executed on even date herewith 

002 oSfoi identified ^ ^ ^ 0FHCES ° F PATRICK LS - m0UYE as attomev docket no. 
0 which was filed on August 3. 2001 Application No. 60/309.858 

and WHEREAS, Networks Associates Technology, Inc. (hereinafter "ASSIGNEE"), a Delaware 
Corporation having a business address at 3965 Freedom Circle, Santa Clara CA 95054, is desirous of 
obtaining our entire right, title and interest in, to and under the said invention and the said application: 

NOW, THEREFORE, in exchange for good and valuable consideration, the receipt of which is 
hereby acknowledged, we, the said ASSIGNORS, have sold, assigned, transferred and set over and by these 
presents do hereby sell, assign, transfer and set over, unto the said ASSIGNEE, its successors le^al 
representatives and assigns, our entire right, title and interest in, to and under the said invention, and the said 
United States application and all divisions, renewals and continuations thereof, and all Patents of the United 
States which may be granted thereon and all reissues and extensions thereof; and all applications for 
industrial property protection, including, without limitation, all applications for patents, utility models, and 
designs which may hereafter be. filed for said invention in any country or countries foreign to the United 
States, together with the right to file such applications and the right to claim for the same the priority rights 
derived from said United States application under the Patent Laws of the United States, the International 
Convention for the Protection of Industrial Property, or any other international agreement or the domestic 
laws of the country in which any such application is filed, as may be applicable; and all forms of industrial 
property protection, including, without limitation, patents, utility models, inventors' certificates and designs 
which may be granted for said invention in any country or countries foreign to the United States and all 
extensions, renewals and reissues thereof; 

AND WE HEREBY authorize and request the Director of the United States Patent and Trademark 
Office, and any Official of any country or countries foreign to the United States, whose duty it is to issue 
patents or other evidence or forms of industrial property protection on applications as aforesaid, to issue the 
same to the said ASSIGNEE, its successors, legal representatives and assigns, in accordance with the terms 
of this instrument. 

AND WE HEREBY covenant and agree that we have the full right to convey the entire interest 
herein assigned, and that we have not executed, and will not execute, any agreement in conflict herewith. 

AND WE HEREBY further covenant and agree that we will communicate to the said ASSIGNEE, 
its successors, legal representatives and assigns, any facts known to us respecting said invention, and testify 
in any legal proceeding, sign all lawful papers, execute all divisional, continuing, reissue and foreign 
applications, make all rightful oaths, and generally do everything possible to aid the said ASSIGNEE, its 
successors, legal representatives and assigns, to obtain and enforce proper protection for said invention in all 
countries. In the event that one or more of the above inventors is not an employee of ASSIGNEE at the 
time such aid is required, they agree to render such aid in return for an hourly rate of pay no greater than 
twice their equivalent regular hourly pay as it stood on the date of their departure from ASSIGNEE. 



IN TESTIMONY WHEREOF, We hereunto set our hands and seals the day and year set opposite 
our respective signatures. j j c °i set opposite 



Date ^ f > . 2001 . ! V j^_/£ , /^w 

Davide Libenzi 

/ 



EMPLOYES INVENTIONS AND PROPRIETARY RIGHTS ASSIGNMENT AGREEMENT 

Oan Meicnicne 

Tta tgnmut ,s mmu » taa ,, K „, „„„,, CMai „ mma ^ m p, oeMurs! „ hic|1 „ 
employment £>y the Company, I acknowledge and agree mat 

1. NoConftct lw.ll perform for me Company suedes as may be debated by the Company from 
.me to t,me During my pencd otemp.oyment oy me Company. . wfl devote my best efforts to ma interests of ma 
Company and w„ not engage ,n omer employment or m any acMe, determined Dy me Company to be detrunental to the 
interests of me Company wjtnout me poor wnnen consent of tne Company 

2 Period of Employment. As used herein, me period of my employment also .ncludes any time in which i 
may oe retamed By the Company as a consultant. — y " " 1 

.n JL« P "° f WOfH ? PreV '° US ^ Dy ™ f ° f mS C ° mpar,y ffi,ai,n9 in *» wa * » ■* w«Pfion 
des,gn. development or support of products for me Company ,s me property of me Company. 

4 Prapretary informal My employment creates a reiationsn.p of confidence and trust between me 
Company and me with respect to any information. ™<ceiweenine 

(a) Appttcaoie to me business of me Company, or 

M Applicable to the busmess of any client or customer of the Company, whjen may be meoe 
Known to me by the company or by any client or customer of me Comply or teamed by me in sucn context dunng the 
penod of my employment vw.uiyuio 

Ail of sucn information has commerce value .n the business in wh,ch Company ,s engaged and ,s nereinafter 
canea 'Propnetary information." By way of .Lustration, but not station. Proletary lafoL J LJ^ ZT 
teennca. and non-techn.cal information including patent, copynght trade secret, and proprietary nbrmon techniques 
sketches, drawings, models, inventions. Know-now. processes, apparatus, reworks , equipment, aioontnms software' 
programs, software source document, and formulae related to the pasi current, future and proposed products and 
services or Company, and includes, witnout i.mitat,on. « respective .nformafon concerning research, experimental work 
development. aes.gn oeians and speefcations. engineering, financia. information, procurement requirements purcnas.no 
manufacturing, customer tists. Duress forecasts, sales and rn.ercnanais.ng and marketing plans and information 

5 Nondisclosure of Propnstary Information Ail Proprietary information a the sole property of me 
Company, its assigns, and its customers_,and me Company, us ass-gns and its customers snail be the sole owner of ail 
patents, copyrights, mask-works, trade sacrets and omer rignts in connection therew.m I herebv assign to me Company 



■24-01 16:45 FftQM-NETTORK ASSOC m 

m T-8U P. 17/48 F- 



any rights I may have or acqu,re ,n such Proprietary information. At an times, cotn dunng my employment o y tne Comp-n, 
and after ,ts tampon, l w„l keep ,n confidence and nm all Proletary informal, and , « not L or a sc4 an7 
tapntttry Informal or anytning directly relating to ,t without the written consent of the Company. Notw«ng me 
fcrego-ng. ,t « understood mat. at a., s«ch times, i am free to use information wmcn .s generady Known in tne trade or 
industry notes a result of a breach of ft,, Agreement and my own sk.il. knowledge, know-now and ^penence to whatever 
extent and in whatever way | wish wwuver 

6 Return of Materials, upon Kmuna&on of m y employment or at me request of the Company before 
terrmnation. I w,,l deliver to tne Company ail written and tang.ble material in my possesion .ncotporattng the Proprietary 
information or otherwise reiaong to the Company's business 

7 inventions as used in mis Agreement, tne term 'inventions' means any and all new or useful art 
discovery, improvement. techn,cal development, or mventon. whether or not patentable, and ail related know-how ' 
designs, maskworks. trademarks, formulae, processes, man-ufactunng techniques, trade secrets ideas artwork software 
and other copyngntaoie ana patentaoie works. 

8. Disclosure of Pray inventus I nave identifies on Extim a ('Prior inventions") artacneo nereto an 
inventions relating m any way to tne Company's Duress or cemonstfaoiy anaopateq researcn and development wmcn 
were made by me poor to my employment «n the Company ('Pnor Inventions'), and I represent that such l.st « complete 
i represent mat l have no rujfus ,n an y sucn inventions otnei man mose Pnor inventus specified »n Exhibit A ('pnor 
inventions') it mere >s no such irst on Exhibit a ("Pnor inventions"). I represent mat I have made no sucn p,icr inventions 
at me time of signing mis Agreement 

9. Ownership of Company inventions; License of Pnor inventions I nereDy agree oromptly to d.sclose 
ano oescnce to me Company, and I hereby assign and agree to assign to me Company or ,ts des.gnee my ent,re nght 
Me. and interest in and to an inventions and any associated intellectual property nghts wh.ch I nuy solely or jointly 
concede, develop or reduce to practice during the period of my emptoyment with the Company (a) wh,cn relate at tne time 
of conception or ,edua,on to pract.ee of me invention to me Ccmpan/s ouaness or aciuai or demonstrate animated 
research or development, or (b) wh.ch were developed on any amount of me Company's wne or w.m me use of any of me 
Company's equipment, supphes. faciiit.es or trade secret information, or (c) wh,ch resulted from any work I performed for 
me Company ('Company Inventions") 1 do hereby grant me Company or its designees a royalty free irrevocable 
worldwide ncense (with ngnts to sublicense tnrougn multiple tiers of ti,stnou!,on) to pract.ee an applicable patent copyngnt 
and other intellectual property nghls relating to any Prior Inventions which I incorporate, or permit to be incorporated ,n 
any Company inventions Notwithstanding the foregoing, i agree mat I will not incorporate, or permit to oe incorporated 
such Pnor Inventions m any Company Inventions without Company's prior wntten consent 

1 0 Cooperation In Perfecting Rignts to inventions 

(a) I agree to perform, during and after my emptoyment, ait acts deemed necessary or desirable 
by the Company to perm.t and asstst n. at its expense, but without additional consideration m excess of my salary or 
wages, in obtaining and enforcing me full benefits, enjoyment, rights and title throughout me world in me inventions hereby 
assigned to me Company. Such acts may include, but are not limited to. execution of documents and assistance or 
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ooopm. ,n tne regisirat.cn and enforcement or applicable patents, copyrights, masxvms or otner ,ecai proceeds ,, 
rhe Con, pany req a ,res my askance after terminal of my employment. | w „ pe compensate* for m!JZ !tS n 

„ n , m , • {G) , "* 3Vefit 816 C ° mpany 13 una0,s for feascn 10 seCa « agnaiure to any 
ocument nsqwreo to apply for or mm any paten, copyngm, mas* wo* or other app„cat,on S wim respect to any 
invents {! nc<uo.ng .mprovements. renewals. extensions, eenm dmaons or contnutfom in pan thereof) 
nereby .rrevocaoiy ongnn and appo.nl the Company and us duly authored officers and agents as my aoents and 

lawMly permuted acts to further tne prosecution ana issuance of patents. copyngnts. maskworks or other ngh-s tneraon 
with ms same legal force ana effect as if executed Dy me 

1 1 No v.o.auon of R,gn £ s of Third Pan.es My performance of al. the terms ot tnis Agreement ana as an 
employee of the Company does not and w„i not breach any agreement to Keep in confidence propnetary mformafon 
knowledge or data acquired Dy me prior to my employment w,tn tne Company, and i will not dsclose to the Company or 
■nduce me Comply to use. any confident or propnetary .nformaaon or matenal fce.ong.ng to any prevous employe or 
others I am not a pany to any othe, agreement *n,ch * mterfer* w.tn my M compnance witn tn.s Agreement I agree 
not to enter m any agreement, wfieinerwnlten or oral. ,n confl.ctw.tn the pistons of mis Agreement 

12 Surv.vai Tn, s Agreement (a) snaa surwe my employment Dy tne Company, (ft) aces not in any way 
restrict my nghl or the right ot me Company to terminate my employment at any ume. for any reason or for no reason 

(c) mures to the benefit of successors ana assigns of tne Company, and (d} .s bmdmg upon my heirs ana legal ' 
representatives ^ 

13 Nonassignable inventus. This Agreement coes not apply to an ttvemon wn.ch nofe* fully as a 
nonassignable invention under mo provisions of Section 2870 or tne Cai.fom.4 Labor Cooe i nave revieweq me 

Scai'^ EXnit> ' :t B C " L ' mited NQ ' , " C * Wn " ) and asree ** m * S! S nat " rc acknowledges rece.pt of the 

14 NO SobcMbon. Ounng me term of my employment w,m ihe Company and for a period of one MI year 
thereafter. I win not solid, encourage, or cause others to «tt or encourage any emp.oyees ot tne Company to emanate 
tnar employment w,tn the Company, [in the case ot personnel at me (Director. v,ce Present and Present th»s paragraph 
.s modified by me "Addendum to Employee inventions Agreement' attached hereto as E*.b« C and incorporated herein 
pyreferencaj ^ 



15 injunc!.ve Rehef. A breach of any or tne promises or agreements contained nerem will result in 
.rreparade and contmumg damage to me Company for wn,ch mere w,H be no adequate remedy at law ana me Company 
shall be entitled to injunctve ret,ef and/or a decree for specific performance, and such omer rehef as may be proper ' 
(including monetary damages if appropriate) 
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16 Notices. Any notice requires or permuted by this Agreement staii be m writing aru snaH be delivered 
as follows with nonce deemed given as mttcarea ty Dy personal delivery when delivered personally: (,;> o y overnight * 
courier upon whiten verification of receipT; (wj by telecopy or fac*m,!e transmission upon acknowledgement of receipt of 
electronic transmission; or (,-v) Dy certified or registered mad. return receipt requests, upon verification of receipt Kcuca 
shall be sent to the addresses set form above or such other address as either parry may specify in writing 

1 7 Governing Law. TniS Agreement shall be governed in all respects by me laws of me united States of 
America and oy the laws of tne State of California, as Such laws ars applied to agreements entered into and to be 
performed entirely witmn California between California residents. 

- 18 Severability Should any provisions of this Agreement be held by a court of taw to illegal, invalid or 
unenforceable, tne legality, validity and enfcfcea&lity of the remaining provisions of ma Agreement shall not be affected or 
impaired thereby 

1 9 waiver. The waiver Dy tne Company of a breach of any provision of tfos Agreemeni t>y me snail not 
operate or be construed as a waiver of any other or subsequent breach by me 

20 Termination of Employment 

(a) if my employment with the Company ?s terminated tor any reason, I snail promptly and 
witnout request inform the Company of and deliver to the Company all documents and asm peraiMg to my employment 
and tne Proprietary Information and Inventions. nT&wec prepared by me or otherwise coming into my possession or 
control. I shall not rerain any written orotner tangible materia! containing any information concerning or disclosing any 
Proprieiary information or inventions. 

(b) if my employment wuh the Company is terminated for any reason, i will protect tne value of 
the Proprietary information and Inventions and will prevent their misappropriation or disclosure i will not oisaose or use 
any Proprietary Information or inventions tor my benefit or the Denefit ol any third party, or to the detriment of the Company 
onis customers 

(c) I recognize that the unauthorized taking of any of me Company's trade secrets is a crime 
under California Penal Cooe section 499c. punishable oy imprisonment for a time not 
.exceeding one year, by a fine not exceeding S5000. or both I further recognize mat such 
unauthorized taking of the Company's rrsoe secrets could also result m avit liability under the 
California Uniform Trade Secrets Act iCivii Code sections 3426-3426 11). and that willful 
misapprapnation may result in an award against me for triple the amount of the Company's 
damages and tne Company s attorney fees in collecting such damages 

21 . Entire Agreement This Agreement represents my enure understanding wim the Company with 
respect to the subject matter of this Agreement and supersedes all previous understandings, written or oral. This 
Agreement may be amended or modified only with the written consent of bom me and the Company No oral waiver, 
amendment or modification shall be effective under any circumstances whatsoever. 
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i cenjfy and acxncwiesge tnsc [ nave carafuiiy 
and will My and family comply wttn suen provisions 

Company 
myCfO.com 

By 

Title 

Dated. 



an or cne provisions onhis Agn=smem and thai 1 uncerstancl 
EMPLOYEE 




Pnotea Name: Dan Meecnione 
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ExniDit 3 



LIMITED EXCLUSION NOTlFlCATiON 



THIS IS TO NOTIFY yQu » accordance witn Section 2372 of the California Labor Coae that me foregoing 
Agreement between you and the Company does not requ.re you to assign or offer to assign to ma Company any invent-on 
that you developed entirely on your own time without using the Company's equipment, supphes. faaht.es or trade secret 
information except for moss inventions that either 

(1) Relate at the Dme of conception or reduction to practice of me invention to tne Company's business or 
actual or demonstrably anticipated research or development of the Company 

(2) Resuit from any word performed oy you tor tne Company 

To tne extent a provision m the foregoing Agreement purports to require you to assign an invention otherwise 
excludes from tne preceding paragraph, tne prov ( sicn is against the public poky of this state and is unenforceable. 

Tnis limited exclusion does not apply to any patent or invention covered by a contract between the Company and 
the Un.ted States or any of its agencies requiring foil title to Such patent or invention to be in me united States. 

I ACKNOWLEDGE RECEIPT of a copy of Btt notification " 




Dan Melchione 




Witnessed by 



(Printed Name of Representative) 
Dated. 
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EXHIBIT C 

ADDbNOUM TO EMPLOYEE INVENTIONS AND 
PROPRIETARY RIGHTS ASSIGNMENT AGREEMENT 
[For Directors. Vies Presidents, President] 

This Addendum, dated to be effective as of . nsfeDy mQlTlH ma Su!5plemenis ^ E 

nvenbons anc I Proprietary Rights Assignment Agreement (the "Employee inventions Agreement beS CcXnv and 
me individual Employee identified below. ' company and 

in return for new or continued employment by the Company at the level of Director. V,ce President or President me 
Company and the Employee hereby acknowledge ana agree as follows ' 



Definitions 



As used in tms definition, the following terms shall nave tne following meanings- 



•Applicable Pee- snail mean fifty percent of me On Target Compensation of me Restncted individual m me one 
year penod ending on me date mat me Restricted individual last provides services to Company. 

-Contract Employee" means a person who proves services to an entity as an independent contract either directly 
or tnrcugn a contract witn a temporary or other Similar serv.ee and such person has worked more man twentv 
hours a week for a period of longer man two weeks on projects identified and directed by such entity "Contract 
Employees do not include persons providing consulting sendees to an entity pursuant to a consulting serves 
agreement between Company and such entity a *sn*.es 

-Employed" snail mean mat me manual ,s a m- or part-time employee of Employee s new employer or is a 
Contract Employee of Employee's new employer "pwjwwraa 

-Employee's work ^Organization' snail mean, mm respect to any entity at wmcn Employee is either a lull- or part- 
time employee or Contract Empioyoe. mose persons reporting to Employee, any persons reporting to such 
persons, directly or tnrougn inie.med.ate personnel and any other persons for whose work product and work 
results Employee is responsible or directs m whole or substantial part 

-On Target Compensation" shall n.uan tne amount paid to sucn Restricted individual lor mat persons services 
including bonuses and commissions, and the amount of bonus and/or commission mat sucn individual would nave 
been paid in any final partial quarter lud such person remained during tne entire penod and completed all 
designated objectives for the bonus in me case of a non-s3les person or achieved h.s or her sates quota m me 
case ot a sales person M 

■Restricted individual' snail mean any person who has worked at Company either as a full- or part-time employee 
or as a Contract Employee witnm Six montns pnor to me tmbal date mat me person is Employed m Employee's 
work Organization. r 7 k«7«" 

2. use of Restricted individuals 

in accordance with me Employes Inventions Agreement, me Employee agrees mat dunng me term of its employment with 
me Company and for a period of one (1) year thereafter. Employee snail not soi.&t. encourage, or cause otners to solicit or 
encourage any employees of me Company to terminate tneir employment witn me Company Employee hereby agrees that 
in tne event mat Employee breaches this provision, me Company will suffer damaoes. and that such damages would pe very 
difficult to ca'culate. however, such damages would certainly encompass expenses in recruiting and training a replacement 
for me employee Thus, if witnm one year of me termination of Employee's employment with Company for whatever reason 
or no reason, a Restncted individual is Employed m Employee's Work Organization, Employee agrees to pay to Company ' 
the Applicable Fee witn respect to eacn sucn Restricted Individual. The Applicable Fee shall be due and payable to 
Company w.m.n m.rty days of me date me first payment is maoe to me Restricted Individual with respect 63 nis or ner 
Employment in Employee's work Organization. The Applicable Fee is intended to compensate the parties for me actual 
damages suffered and is net intended to oe punitive m nature 
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3 Confirmation and Application 

Tnis Addendum shall fre governed By and forms a part of the Employe inventions Agreement between Company and 
Employee i he foregoing agreements are in aoamon to ano do not supercede the terms of the Employe" inventions 
Agreement with respect to solicitation or hinng of the employees of Company 

The Company ana Employee hereby ratify and confirm tne Employee invention Agreement 

IN WITNESS WHEREOF, Company and Employee have executed m Addendum to tns Employee inventons Agreement as 
or tns day and ysariirstapove whiten v 7 5 »" w "^wmwui 

myCIQ.com EMPLOYES. 



By . 

N ame - . Name Dan Metcnione_ r i . 

T.tie- Title fc#JU U- I 



Declaration of Casey Leichter 
Docket No. 002.0230.01 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



Applicant(s): Kouznetsov et al. ET^\ 




Application No.: 10/057,702/ 
Filed: January 25, 2002 V 


1 Group Art Unit: 2171 


Title: System And Method For Providing A 
Framework For Network Appliance 
Management In A Distributed 
Computing Environment 


Examiner: Unassigned 


Attorney Docket No.: 002.0230.01 





Assistant Commissioner for Patents 
Washington, D.C. 20231 

DECLARATION OF CASEY LEICHTER ACCOMPANYING 
PETITION FOR PATENT APPLICATION FILING UNDER 37 CFR 1.47(a) 

I, Casey Leichter, am a paralegal in the Law Offices of Patrick J.S. Inouye. I am 
responsible for handling the receipt and sending of written correspondence, including 
correspondence sent to and received from clients and inventors, via the U.S. Postal Service and 
other carriers. I receive and send correspondence daily. 

On December 21, 2001, per the instructions of Patrick J.S. Inouye, I mailed the following 
documents (" Documents") to Daniel J. Melchione: (1) U.S. Patent Application entitled, "System 
And Method For Providing A Framework For Network Appliance Management In A Distributed 
Computing Environment"; (2) Declaration and Power of Attorney; (3) Assignment; and (4) cover 
letter from the Law Offices of Patrick J.S. Inouye, dated December 21, 2001 (Exhibit 8). I sent 
two sets of the Documents to Mr. Melchione to his last known address at 10380 SW 152 nd 
Terrace, Beaverton, Oregon 97007. I sent the original set via Certified Mail with Return Receipt 
Requested ("Certified Mailing Document Set"). I sent a copy of the original Documents via First 
Class Mail ("First Class Mail Document Set"). Copies of the Certificate of Mailing and the 
Certified Mail Receipt for the Certified Mailing Document Set, both dated December 21, 2001, 
are provided at Exhibit 9. 



Declaration of Casey Leichter 
Docket No. 002.0230.01 



On January 18, 2002, the U.S. Postal Service notified me that: (1) Notices of Certified 
Mail were left at Mr. Melchione's above-noted address on December 24, 2001, and January 11, 
2002, informing of the arrival of the Certified Mailing Document Set; (2) the Certified Mailing 
Document Set was held at the U.S. Post Office, Aloha, Oregon branch, pending pickup by Mr. 
Melchione; and (3) the Certified Mailing Document Set was not picked up by Mr. Melchione. I 
was told by the U.S. Postal Service that the Certified Mailing Document Set was marked 
"Unclaimed" and would be returned back to my office in due course. 

Around January 31, 2002, the Certified Mailing Document Set was returned back to me 
in the mail as undeliverable. A stamp on the envelope indicates the package was unclaimed. A 
copy of the envelope for the Certified Mailing Document Set, indicating the reason for return, is 
provided at Exhibit 10. 

To date, I have not received back the First Class Mail Document Set. 

I hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 



Date 




a 



Case 




The Law Offices o.. . atrick J.S. Inouye 

Registered Patent Attorney 



Office: 

Telephone: 
Facsimile: 
Email: 



810 Third Avenue, Suite 2SS 
Seattle, Washington 98104 
(206) 381-3900 
(206) 381-3999 

patrick_inouye@qwest.net 



December 21, 2001 




Copy via first Class Mail 



VIA CERTIFIED MAIL - w/Co 

Daniel J. Melchione 
10380 SW 152d Ten-ace 
Beaverton, OR 97007 

RE: U.S. Patent Application En? 

"System And Method For Providing Web Browser-Based Secure Remote 
Network Appliance Configuration on a Distributed Computing 
Environment" 1 
Applicants: Kouznetsov et al. 
Serial No.: Unassigned 
Filed: TBD 

Our Docket No.: 002.0233.01 
NAI Docket No.: 01.085.01 




Dear Dan: 

Please find enclosed a draft of the above-identified patent application for review, as well 
as formal documents for execution. 

• As you may recall, this patent application is a conversion of the provisional U.S. 
applications entitled, "Secure Network Appliance Configuration and Management 
Framework," and "System And Method for Performing Efficient Anti-Virus Screening of 
Transient Messages at a Network Gateway," both of which were filed with the U.S. 
Patent and Trademark Office on August 3, 2001. 

After you have completed your review, please sign and date the enclosed 
Declaration/Power of Attorney, and execute and sign the Assignment. Please return both 
completed documents in the enclosed self-addressed, stamped envelope. 

As a reminder, you are under an obligation to assign this patent application per your 
employment contract with Network Associates, Inc. That obligation legally applies even 
when you are a former employee who participated as an inventor during the time of your 
employment. 

Please feel free to call me should you have any questions. Thank you. 

Very truly yours, 

Patrick !. S. Inouye 

Ends. 
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ATTORNEY DOCKET NO. 002.0233.01 



DECLARATION AND POWER OF ATTORNEY 

FOR PATENT APPLICATION [ JUM 2 6 2002 

As a below named inventor, I hereby declare that: ~ ' 
My residence/post office address and citizenship are as stated belJvMtet to m\ 

ITSLTwTo^ .« (ifpIural names 

the specification of which is attached hereto unless the following box is checked- 

CER. 1 .56. acKnowiea 0 e the duty to disclose all information wh.ch is material to patentability as defined in 37 

Foreign Application(s) and/or Claim of Foreign Priority 



APPLICATION NUMBER 



DATE FILED 



application on which priority is claimed: 
PRIORITY CLAIMED UNDER 35 U.S.C. 1 19 



YES: 



NO: 



YES:. 



NO:„ 



Provisional Application 



, *«^vw m auy uuncu o utu 

APPLICATION SERIAL NUMBER 


;s provisional appucation(s) 1 
FILING DATE 


60/309,835 


8/3/2001 ' 


60/309,858 


8/3/2001 



U.S. Priority Claim 

acknowledge the duty to disclose material infci ^ <* ™* 35 ' States Code Section 1 12, 1 

prior application and the national or PCT international filing date of! this apjLrion: Re S^ations, Section 1 .56(a) which occurred between the filing date of the 



APPLICATION SERIAL NUMBER 



FILING DATE 



STATUS(patented/pending/abandoned) 



POWER OF ATTORNEY: — _J 

As a oa.ec. inventor, I^appoin, the following a tt orne y (s) and/or agent(s) listed below to prosecute this appiication and transact a„ business i„ tne Patent and 



— — — t * ^ \j j uj/pv/im 

Trademark Office connected therewith. 

Patrick J.S. Inouye, Esq.. Reg. No. 40297 



Christophe r J. Hamaty. Esq., Reg. No 37.634 



Direct Telephone Calls To: 

Patrick J.S. Inouye, Esq. 
(206)381-3900 



Send Correspondence to: 

Patrick J.S. Inouye, Esq. 
Law Offices of Patrick J.S. Inouye 
810 Third Avenue 
Suite 258 

Seattle, WA 98104 

isassg i^ssa gA^^^as ^r rr e °vff r r aad behet - beueved to be = ^ 

of Title 18 of the United States Code and that sucnwiUfu, fa.se ^^^^^^^^^^^^^^^ 

Full Name of Inventor: Victor Kouznetsn v 

— — . Citizenship: Russia 

Residence: 20287 SWTremont Wav. Aloha. Oregon 97nn7 " ~ 

Post Office Address: Same " " 



Inventor's Signature 



Date 



Page 1 



Full Name of Inventor: Michael Chin-Hwan Pak 



Residence: 15894 NW Andalusian Way, Portland, OR 97229 
Post Office Address: Same 



Ci ;hip: USA_ 



Inventor's Signature 



Date 



Full Name of Inventor: Daniel J, Melchione 



Residence: 10380 SW 152d Terrace. Beaverton. Oregon 97007 
Post Office Address: Same 



Citizenship: USA 



Inventor's Signature 



Full Name of Inventor: Nicholas C. W. Hode 



Date 



Residence: 147 West Campus. Orego n State University. CorvaMis. Oregon 97331-1801 
Post Office Address: Same 



Citizenship: USA 



Inventor's Signature " " " Date" 
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JOINT ASSIGNMENT 



r w it W , H 5 REAS ', W ^: A V ic T 0 I Kouznetsov - Da "iel J. Melchione, Michael Chin-Hwan Pak, and Nicholas 

^^T^r^w^^T' 0, dti2enS ° f RUSSk ' USA " USA ' and USA ' respectively re dinl 
fs lf^ff I'"?" 1 " ?T' nn 97007: 10380 S W 1 5 2d ana BeavertoiL QregoLzQQI 

Stwh? 'T '? ^ the inv entors of the invention in "System And Method For 

Providing Web Browser-Based Secure Remote Network Appliance Configuration In A Distributed 
Computing Environment for which we have executed a patent application with the U.S. Patent and 
Irademark Office of the United States 

0 which is executed on even date herewith 

(LSm <S identified ^ 0FFICES ° F PATRICK J S - m0VYE aS att ° mev docket na 

□ which was filed on [FILING DATE], Application No. [APPLICATION NO.] 

and WHEREAS, Networks Associates Technology, Inc. (hereinafter "ASSIGNEE") a Delaware 
Corporation having a business address at 3965 Freedom Circle, Santa Clara CA 95054, is desirous of 
obtaining our entire right, title and interest in, to and under the said invention and the said application: 

NOW, THEREFORE, in exchange for good and valuable consideration, the receipt of which is 
hereby acknowledged we, the said ASSIGNORS, have sold, assigned, transferred and set over, and by these 
presents do hereby sell, assign, transfer and set over, unto the said ASSIGNEE, its successors le»al 
representatives and assigns, our entire right, title and interest in, to and under the said invention, and the said 
United States patent application and all divisions, renewals and continuations thereof, and all Patents of the 
United States which may be granted thereon and all reissues and extensions thereof; and all applications for 
industrial property protection, including, without limitation, all applications for patents, utility models and 
designs which may hereafter be filed for said invention in any country or countries foreign to the United 
States together with the right to file such applications and the right to claim for the same the priority rights 
derived from said United States application under the Patent Laws of the United States, the International 
Convention for the Protection of Industrial Property, or any other international agreement or the domestic 
laws of the country in which any such application is filed, as may be applicable; and all forms of industrial 
property protection, including, without limitation, patents, utility models, inventors' certificates and designs 
which may be granted for said invention in any country or countries foreign to the United States and all 
extensions, renewals and reissues thereof; 

AND WE HEREBY authorize and request the Director of the United States Patent and Trademark 
Office, and any Official of any country or countries foreign to the United States, whose duty it is to issue 
patents or other evidence or forms of industrial property protection on applications as aforesaid, to issue the 
same to the said ASSIGNEE, its successors, legal representatives and assigns, in accordance with the terms 
of this instrument. 

AND WE HEREBY covenant and agree that we have the full right to convey the entire interest 
herein assigned, and that we have not executed, and will not execute, any agreement in conflict herewith. 

AND WE HEREBY further covenant and agree that we will communicate to the said ASSIGNEE 
its successors, legal representatives and assigns, any facts known to us respecting said invention, and testify 
in any legal proceeding, sign all lawful papers, execute all divisional, continuing, reissue and foreign 
applications, make all rightful oaths, and generally do everything possible to aid the said ASSIGNEE its 
successors, legal representatives and assigns, to obtain and enforce proper protection for said invention in all 
countries. In the event that one or more of the above inventors is not an employee of ASSIGNEE at the 



time such aid is required, they agree to render such aid in return for an hourly rate of pay no greater than 
twice their equivalent regular hourly pay as it stood on the date of their departure from ASSlGml 

IN WITNESS WHEREOF, said Inventory have executed and delivered this instrument to said 
Assignee as of the dates written below. 



Date 



2001 



Date 



2001 



Da[ e __, 2001 



Dat e— _, 2001 



Victor Kouznetsov 



Daniel J. Melchione 



Michael Chin-Hwan Pak 



Nicholas C.W. Hogle 



Date 



, 2001 

Nicholas C.W. Hogle 



Patent Application 
Docket No. 002.0233.01 
NAI Docket No. 01.085.02 
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5 SYSTEM AND METHOD FOR PROVIDING WEB BROWSER-BASED 
SECURE REMOTE NETWORK APPLIANCE CONFIGURATION IN A 
DISTRIBUTED COMPUTING ENVIRONMENT 

Cross-Refe rence to Related App lications 

This patent application is a conversion of U.S. provisional patent 
applications, Serial No. 60/309,835, filed August 3, 2001, pending; and Serial No. 
60/309,858, filed August 3, 2001, pending; the priority dates of which are claimed 
and the disclosures of which are incorporated by reference. 

Field of the Invention 

The present invention relates in general to secure network appliance 
15 configuration and, in particular, to a system and method for providing Web 
browser-based secure remote network appliance configuration in a distributed 
computing environment. 

Background of the Invention 

Enterprise computing environments generally include both localized 
20 intranetworks of interconnected computer systems and resources internal to an 
organization and geographically distributed internetworks, including the Internet. 
Intranetworks make legacy databases and information resources available for 
controlled access and data exchange. Internetworks enable internal users to 
access remote data repositories and computational resources and allow outside 
25 users to access select internal resources for completing limited transactions or 
data transfer. 

Increasingly, network appliances, or simply "appliances," are being 
deployed within intranetworks to compliment and extend the types of services 
offered. As a class, network appliances have closed architectures and often lack a 
30 standard user interface. These devices provide specialized services, such as 
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electronic mail (email) anti-virus scanning, content filtering, file, Web and print 
service, and packet routing functions. 

Ideally, network appliances should be minimal configuration devices, 
which are purchased, plugged into a network, and put into use with no further 
5 modification or change. Analogous to a cellular telephone, a network appliance 
should ideally provide the service promised without requiring involved 
configuration and setup by individual users or administrators. 

Nevertheless, configuring newly-installed appliances remains a 
complicated and confusing endeavor. Appliance configuration is generally 
10 vendor-specific and device-dependent. The lack of a user interface allows only 
indirect configuration and setup. Configuration often takes several steps. From a 
physical connectivity standpoint, appliance configuration typically requires 
operating a manual control panel, reconfiguring an installed appliance from a 
factory set of default settings or performing a myriad of other device-dependent 
15 operations to affect a configured setup. Consequently, a higher than average level 
of user sophistication is required to avoid a confusing, incorrect or potentially 
catastrophic outcome. 

In addition, operational software and firmware must also be properly 
configured as part of an initial setup. Often, a full software suite, including 
operating system, must be installed prior to initializing the appliance. In addition, 
the network protocol stack must be configured to operate within the specific 
installed network topology into which the device is deployed. 

Finally, various policies must be installed and operationally enforced on 
each appliance. Appliances offering plug-and-play installation generally lack the 
default settings necessary to enforce security and administrative policies. As 
well, until fully configured, these devices enjoy potentially free rein over a 
network domain and pose a serious security risk to an entire enterprise. 

For instance, replay attacks are possible during device configuration. A 
configuration packet could be intercepted by a hostile agent and later re-sent 
("replayed") with altered settings to reset the configuration and create a security 



20 



30 

breach 
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In addition to per-device configuration and setup considerations, the 
deployment of appliances can create network management concerns. For 
instance, a large population of deployed appliances can drastically increase 
network management workload. Vendor-specific and device-dependent settings 
necessitate individualized attention to each successive appliance installation. A 
rich network environment having a multitude of heterogeneous systems and 
appliances can quickly overwhelm a network administrator and make the task of 
identifying unconfigured devices difficult and time consuming. 

In the prior art, the dynamic host configuration protocol (DHCP) provides 
a partial solution. DHCP allows a TCP/TP-compatible device to be dynamically 
assigned a network address within a pre-defined network domain. A DHCP 
server maintains a table of the network addresses assigned to each interconnected 
device, thereby preventing address conflicts. Network address assignments are 
"pushed" to each newly-connected device. However, DHCP servers are limited 
to configuring network addresses and fail to provide policy and device parameter 
configuration and setup. 

Therefore, there is a need for an approach to providing remote secure 
configuration of network appliances from a standardized user interface. 
Preferably, such an approach would offer a Web browser-based solution allowing 
configuration from a ubiquitous and widely available interfacing means. Such an 
approach would further provide a standardized interface for appliance 
configuration and setup in a vendor-neutral and device-independent fashion. 

There is a further need for an approach to providing automatic 
configuration of network appliances during initialization upon deployment into a 
network domain. Preferably, such an approach would provide a complete 
bootstrap solution with minimal user interaction. Furthermore, such an approach 
would preferably realize a cellular telephone service model of purchase, plug in 
and use. 

There is a further need for an approach to providing network-based 
configuration of network appliances that substantially minimizes the potential for 
creating security risks and, in particular, preventing replay attacks. 
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Summary of th e Invention 

The present invention provides a system and method for remotely 
configuring a network appliance deployed within a network domain. A 
configuration client executes a Web browser upon which is loaded an applet for 
performing remote appliance configuration. The applet is initially retrieved from 
a centralized network operations center, which maintains a set of applets 
customized for each separate network domain and individual configurations for 
various network appliances. The configuration client, via tie applet, broadcasts a 
"ping" query message to all appliances and receives back from each a response 
indicating a configuration state. An appliance configuration for each 
unconfigured network appliance is requested from the network operations center. 
The network operations center returns configuration parameters to the 
configuration client and a configuration packet is sent to each unconfigured 
appliance. Upon the successful configuration of each appliance, the configuration 
client instructs the appliance to begin a remote management session. Otherwise, 
the configuration packet is resent or the configuration client waits for the 
installation to complete. 

An embodiment of the present invention provides a system and a method 
for providing Web browser-based remote network appliance configuration in a 
distributed computing environment. A query message is broadcast from an applet 
executing within a Web browser to one or more network appliances. The network 
appliances are interconnected within a bounded network domain defined by a 
common network address space. A response message containing network 
settings, including a physical network address, is received by the applet from at 
least one such network appliance responsive to the query message and processed. 
A configuration packet is generated and sent using the physical network address 
for each at least one such network appliance sending a response message and 
requiring configuration. 

A further embodiment provides a system and method for remotely 
configuring a network appliance deployed within a distributed computing 
environment. A response message containing network settings is sent from at 
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least one network appliance responsive to a query message broadcast over a 
specified network domain within which the at least one network appliance * 
operates. A configuration package for the at least one network appliance is 
generated. The configuration package contains centrally managed network 
settings customized for the at least one network appliance. The configuration 
package is installed on the at least one network appliance as part of an 
initialization bootstrap operation. 

Still other embodiments of the present invention will become readily 
apparent to those skilled in the art from the following detailed description, 
wherein is described embodiments of the invention by way of illustrating the best 
mode contemplated for carrying out the invention. As will be realized, the 
invention is capable of other and different embodiments and its several details are 
capable of modifications in various obvious respects, all without departing from 
the spirit and the scope of the present invention. Accordingly, the drawings and 
detailed description are to be regarded as illustrative in nature and not as 
restrictive. 

Brief Description of the Drawing 

FIGURE 1 is a block diagram showing a system for providing Web 
browser-based secure remote network appliance configuration in a distributed 
computing environment. 

FIGURE 2 is a block diagram showing the software modules of the 
network operations center of FIGURE 1. 

FIGURE 3 is a block diagram showing the software modules of the 
configuration client of FIGURE 1. 

FIGURE 4 is a block diagram .showing the software modules of an 
exemplary network appliance of FIGURE 1. 

FIGURE 5 is a process flow diagram showing a remote network appliance 
configuration, as performed by the system of FIGURE 1. 

FIGURE 6 is a data structure diagram showing a configuration packet 
served by the configuration client of FIGURE 1. 
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FIGURE 7 is a flow diagram showing a method for providing Web 
browser-based secure remote network appliance configuration in a distributed 
computing environment, in accordance with the present invention. 

FIGURE 8 is a flow diagram showing the process performed by the 
network operations center of FIGURE 2. 

FIGURES 9A and 9B are flow diagrams showing the process performed 
by the configuration client of FIGURE 1. 

FIGURE 10 is a flow diagram showing the process performed by the 
network appliance of FIGURE 4. 

Detailed Descrip f inn 

FIGURE 1 is a network diagram 10 showing a system for providing Web 
browser-based secure remote network appliance configuration in a distributed 
computing environment, in accordance with the present invention. The 
distributed computing environment is preferably TCP/IP compliant. A plurality 
of individual network appliances (or simply "appliances") lla-c are 
interconnected via an intranetwork 13. Each of the appliances lla-c is 
autonomously configured and provides specified functionality, such as electronic 
mail (email) anti-virus scanning, content filtering, packet routing, or file, Web, or 
print service. Other forms of appliance services are feasible, as would be 
recognized by one skilled in the art. 

In addition to providing the specified functionality, the various appliances 
lla-c are autonomously self-configured and self-managed, as further described 
below beginning with reference to FIGURE 4. The appliances. lla-c are remotely 
configured through a configuration client 16 executing within a bounded network 
domain defined by a common network address space. The configuration client 16 
includes a Web browser 17 upon which an applet 23 executes to transparently 
install and configure each of the interconnected appliances lla-c. 

Upon the physical connection of each new appliance lla-c onto the 
intranetwork 13, an administrator executes a configuration application on the 
configuration client 16 via the Web browser 17. The Web browser 17 provides a 
user-friendly and standardized user interface for configuring appliances lla-c in a 
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device-independent and vendor-neutral manner. The configuration application 
executes the applet 2, which broadcasts a "ping" query message to all appliances 
lla-c on the intranetwork 13. In response, each appliance lla-c sends a response 
back to the configuration client 16, which then determines those appliances lla-c 
requiring configuration and setup. 

For each unconfigured appliance lla-c, the configuration client 16 
requests configuration parameters from a centralized network operations center 
(NOC) 12 in a secure session. 

The network operations center 12 determines the parameters necessary to 
properly configure the unconfigured appliance lla-c in accordance with 
applicable security and administration policies. The configuration parameters are 
sent to the requesting configuration client 16. Upon receiving the set of 
configuration parameters for each new appliance lla-c, the configuration client 
16 generates a configuration packet, which is customized for and sent to each 
! unconfigured appliance lla-c. Upon the successful installation of each 

configuration packet by the appliances lla-c, the configuration client 16 sends a 
"kick-start" packet to initiate a secure remote management session on each 
. appliance lla-c, such as described in commonly-assigned related U.S. patent 

application Serial No. , entitled "System And Method For 

Providing A Framework For Network Appliance Management In A Distributed 
Computing Environment," filed January 25, 2002, pending, the disclosure of 
which is incorporated by reference. 

The appliance configuration performed by the configuration client 16 is 
system independent and can be executed by any client interconnected within the 
same network domain as the appliances being configured. Accordingly, each new 
configuration client 16 initially requests an applet from an applet server 15 
executing on the network operations center 12 via a secure session. The applet 
server 15 is coupled to an applet database 14 to allow customization of the 
configuration functions performed within each individual network domain. Upon 
receipt of the applet, the configuration client 16 can proceed to configure the 
individual appliances lla-c. 



0233.01.ap2 



-7- 



Each appliance lla-c is interconnected via an intranetwork 13 which is, in 
turn, interconnected to an internetwork 20, including the Internet, via a firewall 21 
and border router 22. The configuration client 16 is also interconnected via the 
intranetwork 13 and shares the same network domain with the appliances lla-c. 

5 The network operations center 12 is external to the intranetwork 13 and is only 
accessible as a remote host via the internetwork 20. Accordingly, the 
configuration parameter and applet request functions are transacted with each 
appliance lla-c in a secure session, preferably using the Secure Hypertext 
Transport Protocol (HTTPS). Other network configurations, topologies and 

0 arrangements of clients and servers are possible, as would be recognized by one 
skilled in the art. 

The individual computer systems, including servers and clients, are 
general purpose, programmed digital computing devices consisting of a central 
processing unit (CPU), random access memory (RAM), non-volatile secondary 
> storage, such as a hard drive or CD ROM drive, network interfaces, and 
peripheral devices, including user interfacing means, such as a keyboard and 
display. Program code, including software programs and data, are loaded into the 
RAM for execution and processing by the CPU and results are generated for 
display, output, transmittal, or storage. 

FIGURE 2 is a block diagram showing the software modules 30 of the 
network of FIGURE 1. The network operations center 12 includes three modules: 
status monitor 31, status daemon 32 and applet server 15. The applet server 15 
executes as part of the network operations center 12. The status monitor 31 
receives periodic status reports from the individual network appliances lla-c 
(shown in FIGURE 1). Each status report is recorded and registered in an 
appliance status table 33, which notes the appliance user identifier (UID) and time 
of each report. The status daemon 32 executes as an independent process that 
periodically awakens and examines the appliance status table 33 to determine 
whether any of the appliances lla-c have failed to report. As necessary, an alert 
is generated to inform an administrator of a potentially faulty appliance. 
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The applet server 15 includes three modules: applet engine 34, database 
35, and crypto 36. The applet engine 34 downloads individual applets 23 
maintained in the applet database 14 to requesting configuration clients 16 (shown 
in FIGURE 1) via a secure session. A library of applets 37 are maintained to 
5 allow customization of the various configuration applications executing within the 
Web browsers 17 each configuration client 16. 

The database module 35 interfaces to the applet database 14 to access the 
applets 37 maintained therein. In the described embodiment, the applet database 
14 is a structured query language (SQL) based database. The applets 37 are 
10 stored as structured records indexed by client identifiers. 

The crypto module 36 provides asymmetric (public key) and symmetric 
encryption. Both forms of cryptography are needed to transact a secure session 
with each appliance lla-c. As well, the network operations center 12 uses the 
crypto module 36 to digitally sign and encrypt the applets 37. 
15 The network operations center 12 includes a message queue 38 through 

which instructions to the applets 23 (shown in FIGURE 1) deployed on the 
individual configuration clients 16 are communicated. The configuration clients 
16 execute in an event-driven manner. Periodically, each configuration client 16 
checks the message queue 38 for new instructions which are transparently 
20 executed by the applet 23. 

In the described embodiment, five types of messages are communicated 
between the network operations center 12 and the configuration clients 16, as 
follows: 

sendRefreshQ: Sends a message to message queue 38 instructing the 
25 applet 23 to refresh the list of appliances 1 la-c that are on the network. 

SendKickQ: Sends a message to message queue 38 instructing the applet 
23 to send out a kick-start packet to the appliance lla-c with the given media 
access controller (MAC) address. 

Parameters: 
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MAC: The MAC address of the appliance lla-c to which the kick- 

start packet will be sent. Should be in 
"AA:BB:CC:00:11:22" format. 
sendConfigO: Sends a message to message queue 38 instructing the applet 
5 23 to send a "CONFIG" configuration packet to the appliance lla-c with the 
given MAC address. 
Parameters : 

MAC: The MAC address of the appliance lla-c to which the 

configuration packet will be sent. Should be in 
10 "AA:BB:CC:00:11:22" format. 

Hostname: Value to be assigned as the hostname. 
Domain: Value to be assigned as the domain name. 
IP: Value to be assigned as the IP address. 

Netmask: Value to be assigned as the network mask. 
Gateway: Value to be assigned as the internet gateway. 
DNS1: Primary domain-name server. 

DNS2: Secondary domain-name server. 

String getListQ: Returns a list of select appliances lla-c with current 
network configuration in an internal appliance list in a configuration client 16. 
Parameters : 

Filter: Value that determines which appliances 1 la-c are returned. 

If the value is "0," all appliances are returned; and if the 
value is "2," only configured appliances are returned 

Return Value : 

The return value is a String that contains the select appliances, and current 
configuration information. The return value is a pipe-symbol ("|") 
delimited for every network parameter. An example return value is: 

00:B0:D0:ll:22:33:testl,mycio.com 3 127.0.0.1,255.255.255. 
128 5 0.0.0.0,0.0.0,0.0.0.0|00:ll:22:33:44:55:test2, 
mycio.com,127.0.0.1,255.255.255.128,0.0.0.0.0,0.0.0.0 
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getStatusQ: Returns the status of the sendConfig message. Returns "0" if 
no SUCCESS or FAILED packet has yet been received from an appliance lla-c; 
"1" if a SUCCESS packet was received; and "-1" if a FAILED packet was 
received. 

FIGURE 3 is a block diagram showing the software modules 40 of a 
configuration client 16 of FIGURE 1. The configuration client 16 includes a 
Web browser 17 executing an applet 23. In the described embodiment, the Web 
browser 17 is a HTML-compatible Web browser, such as the Internet Explorer, 
licensed by Microsoft Corporation, Redmond, Washington, capable of executing 
downloadable programs, including applets, written in an interpretable 
programming language, such as the Java programming language. 

The applet includes three functional modules: status 41, configuration and 
packet generation 42, and completion 43. The status module 41 broadcasts a 
query message to the interconnected network appliances lla-c (shown in 
FIGURE 1) and processes response messages received back to determine the 
configuration of each appliance lla-c. The status of each appliance lla-c is 
maintained in a configured appliances list 44. The configuration and packet 
generation module 42 receive configuration parameters from the network 
operations center 12 (shown in FIGURE 1) and generates a configuration packet 
for downloading to an unconfigured appliance lla-c. The completion module 43 
receives a status message from each unconfigured appliance lla-c indicating 
whether the configuration packet was successfully installed. A configuration 
packet will be re-sent to any appliance lla-c that fails to successfully complete 
configuration. 

FIGURE 4 is a block diagram showing the software modules 50 of an 
exemplary network appliance 11a of FIGURE 1. Application-specific logic has 
been omitted for clarity. As pertains to autonomous configuration and 
management, each network appliance 11a includes four modules: bootstrap 
module 51, crypto 52, installer 53, and status daemon 54. The bootstrap module 
51 executes upon the initial installation of the appliance 11a onto the intranetwork 
13. The bootstrap module 51 sends a response message in reply to a broadcasted 
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"ping" query message from the configuration client 16. The response message 
includes the current configured network settings in use by the appliance lla.^For 
an unconfigured appliance 11a, the response packet includes only the media 
access controller (MAC) address used by the appliance 11a. As well, the 
bootstrap module 51 sends a response message to any subsequent query messages 
sent by the configuration client 16 and includes all currently in-use configured 0 
network settings, as maintained in the appliance configuration 55. 

Upon receiving a configuration packet from the configuration client 16, 
the bootstrap module 51 installs and sets up the various software applications to 
be executed by the appliance 11a. The software can include the operating system 
and any application-specific logic integral to providing the service performed by 
the appliance 11a. Through the use of the network operations center 12 and 
configuration client 16, the appliance 11a can be configured and managed 
remotely and in compliance with applicable security and administrative policies. 
Accordingly, the autonomous configuration and self-management of each 
network appliance lla-c can enable a vendor to provide a complete service 
model, whereby installations are handled autonomously and without significant 
end-user intervention. 

The crypto module 52 provides asymmetric (public key) and symmetric 
encryption. Both forms of cryptography are needed to transact a secure session 
with the network operations center 12 and a component server (not shown) used 
to manage and update the suite of applications 56 installed on the appliance 11a. 
The installer 53 installs applications received from a component server. Finally, 
the status daemon 54 periodically awakens and sends a report of the health and 
status of the network appliance 11a to the network operations center 12. The 
status report identifies the reporting appliance 11a and provides machine-specific 
data, including the load on the processor, available disk space and application- 
specific information, such as the number of emails passing through the device. 
The status report is referred to as a "SecureBeat." 

Each software module of the network operations center 12, configuration 
client 16 and exemplary appliance 11a is a computer program, procedure or 
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module written as source code in a conventional programming language, such as 
the C++ programming language, and is presented for execution by the CPU as 
object or byte code, as is known in the art. The various implementations of the 
source code and object and byte codes can be held on a computer-readable storage 
5 medium or embodied on a transmission medium in a carrier wave. The network 
operations center 12, configuration client 16 and exemplary appliance 11a operate 
in accordance with a sequence of process steps, as further described beginning 
below with reference to FIGURE 7. 

FIGURE 5 is a process flow diagram showing a remote network appliance 
10 configuration, as performed by the system of FIGURE 1. Each network appliance 
is autonomously configured by a configuration ("config") client 61. Upon the 
installation of a new appliance on the intranetwork 13 (shown in FIGURE 1), or 
as necessary to ascertain the current appliance configuration, the configuration 
client 61 broadcasts a "ping" query message (step 65) to all appliances 62 
15 currently interconnected within the bounded network domain. In response, each 
appliance 62 sends a response message (step 66) back to the configuration client 
61. Each response includes the current configured network settings in use by each 
appliance 62. A response containing only the media access controller (MAC) 
address of the appliance 62 indicates that the appliance is currently unconfigured. 

For each of the unconfigured appliances, the configuration client 61 sends 
a configuration packet request message (step 67) to the network operations center 
63 via a secure session. The network operations center 63 determines the correct 
configuration settings required by the appliance to be configured by referencing 
an appliance status table 33 (shown in FIGURE 2). The network operations 
center 63 generates a set of configuration parameters, which are sent (step 68) 
back to the requesting configuration client 61. The secure session is closed and 
the configuration client 61 forms a configuration packet for the unconfigured 
appliance 62. 

The configuration client 61 sends the configuration packet (step 69) to the 
unconfigured appliance 64 where the configuration packet is processed and 
installed. The appliance 64 sends a "SUCCESS" message (step 70) to the 
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configuration client 61 upon the successful configuration of the appliance. In 
response, the configuration client 61 returns a kick-start message (step 71) back to 
the appliance 64 to initiate an autonomous SecureBeat management session. 
Thereafter, the ongoing management of the appliance 64 is remotely facilitated by 
the network operations center 63. 

If the configuration is unsuccessful, the appliance 64 sends a "FAILURE" 
message (step 72) back to the configuration client 61, which resends the 
configuration packet (step 69) until successful. 

If the appliance 64 is still in the process of configuring, the appliance 64 
sends an unconfigured message (step 73) back to the configuration client 61, 
which then waits until the appliance 64 has been configured. Thereafter, a 
SecureBeat management session is initiated. 

FIGURE 6 is a data structure diagram showing a configuration packet 80 
served by the configuration client 16 of FIGURE 1. Each configuration packet 80 
contains the parameters described above with reference to FIGURE 2. 

While not necessary to completing an initial appliance configuration, the 
primary and secondary domain name server parameters 78 and 88, respectively, 
are optional and are provided for network administrative convenience. 

FIGURE 7 is a flow diagram 100 showing a method for providing Web 
browser-based secure remote network appliance configuration in a distributed 
computing environment, in accordance with the present invention. The individual 
components, including network operations center 12, configuration client 16 and 
individual network appliances lla-c, execute independently. Each of the 
components must be initialized and started (blocks 101-103) prior to appliance 
configuration. Upon respective initialization and starting, each component 
proceeds independently, as further described below with reference to FIGURES 
8-10. 

FIGURE 8 is a flow diagram 110 showing the process performed by the 
network operations center 12 of FIGURE 2. Network operations center 12 begins 
by connecting to a configuration client 16 (shown in FIGURE 1) requesting an 
applet 23 (shown in FIGURE 2) (block 111). An applet 23 is downloaded to the 
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configuration client 16 (block 112). Each configuration client 16 executes the 
applet 23 in a Web browser 17. 

Following applet download (blocks 111-112), the network operations 
center 12 executes an iterative processing loop (blocks 113-119). During each 
5 iteration (block 113), a secure session is established with a configuration^client 16 
(block 114). Upon establishing a secure session, a configuration packet request is 
received (block 115). The network operations center 12 looks up the 
configuration 40 (shown in FIGURE 2) for the configured appliance 11a and 
generates configuration parameters (block 116). The configuration parameters are 
10 downloaded to the configuration client 16 (block 117), after which the secure 
session is closed (block 118). Processing continues (block 119) until the process 
is terminated or halted. 

FIGURES 9A and 9B are flow diagrams 120 showing the process 
performed by the configuration client 16 of FIGURE 1. The configuration client 
16 begins by broadcasting a "ping" query message to all network appliances lla-c 
(block 121) interconnected within the bounded network domain. The 
configuration client 16 then executes an iterative processing loop (blocks 122- 
133) for each appliance lla-c. 

During each iteration (block 122), a response from an appliance 11a is 
received (block 123) and processed as follows. If the response from the appliance 
11a indicates that the appliance is not presently configured (block 124), a 
configuration parameters request is sent to the network operations center 12 
(block 125). The network operations center 12 generates a set of configuration 
parameters which are then received (block 126) and formed into a configuration 
packet for the unconfigured appliance 11a (block 127). The configuration packet 
is sent to the appliance 11a (block 128). 

The configuration client 16 awaits a status response from the appliance 
1 la (block 129). If the configuration succeeds (block 130), the configuration 
client 16 sends a kick-start packet to the appliance 11a (block 131), instructing the 
30 now-configured appliance 11a to initiate an autonomous SecureBeat management. 
Otherwise, if the configuration is not successful (block 130) and has failed (block 
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132), the configuration packet is sent again to the appliance 11a (block 128). 
Otherwise, the configuration client 16 waits for the completion of configuration 
by the appliance 11a (block 133), after which a kick-start packet is sent to the 
appliance 11a (block 131). Processing continues (block 134) until the process is 
terminated. 

FIGURE 10 is a flow diagram 140 showing the process performed by the 
network appliance 11a of FIGURE 4. Shortly following deployment into a 
network domain, or as necessary, a "ping" query message is received from a 
configuration client 16 (shown in FIGURE 1) (block 141). In response to the 
query message, the network appliance 11a generates and sends a response back to 
the requesting configuration client 16 (block 142). 

The response message includes the current network setting and 
configuration 55 (shown in FIGURE 4) used by the network appliance 11a. If the 
network appliance is not currently configured (block 143), a configuration packet 
is received from the configuration client 16 (block 144) and installed (block 145). 
If the installation is successful (block 145), a "success" response message is sent 
back to the configuration client 16 (block 146). The network appliance 11a then 
receives a kick-start packet from the configuration client 16 (block 147) 
instructing the network appliance 11 a to initiate a remote SecureBeat 
management session (block 148). If installation is not successful (block 145) and 
fails (block 149), a "failure" response is sent back to the configuration client 16 
(block 150), after which a further configuration packet is received from the 
configuration client 16 (block 144). Otherwise, if installation is still being 
performed (block 149), an "unconfigured" response is sent to the configuration 
25 client 16 (block 151) and the network appliance waits for configuration 

completion (block 152), after which a kick-start packet is received (block 147) 
and remote SecureBeat management session initiated (block 148). 

While the invention has been particularly shown and described as 
referenced to the embodiments thereof, those skilled in the art will understand that 
the foregoing and other changes in form and detail may be made therein without 
departing from the spirit and scope of the invention. 
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What is claimed is: 



1 1. A system for providing Web browser-based remote network 

2 appliance configuration in a distributed computing environment, comprising: 

3 one or more network appliances interconnected within a bounded network 

4 domain defined by a common network address space; and 

5 a configuration client comprising an applet executing within a Web 

6 browser and configuring the network appliances, comprising: 

7 a status module broadcasting a query message to the network 

8 appliances and processing a response message containing network settings, 

9 including a physical network address, received by the applet from at least one 

10 such network appliance responsive to the query message; and 

11 a configuration module generating and sending a configuration 

12 packet using the physical network address for each at least one such network 

13 appliance sending a response message and requiring configuration. 

1 2. A system according to Claim 1, further comprising: 

2 a list of the network appliances maintained by the status module for each 

3 at least one such network appliance sending a response message and not requiring 

4 configuration. 

1 3. A system according to Claim 1, further comprising: 

2 a completion module receiving a status message from each at least one 

3 such network appliance requiring configuration responsive to receipt of the 

4 configuration packet. 

1 4. A system according to Claim 3, wherein the status message 

2 indicates a successful configuration, further comprising sending a kickstart 

3 message to each at least one such network appliance to initiate an autonomous 

4 management session. 
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1 5. A system according to Claim 3, wherein the status message 

2 indicates an unsuccessful configuration, further comprising resending the 

3 configuration packet to the at least one such network appliance. 

1 6. A system according to Claim 3, wherein the status message 

2 indicates an on-going configuration, further comprising waiting for completion of 

3 configuration by the at least one such network appliance. 

1 7. A system according to Claim 1, further comprising: 

2 an applet database storing a plurality of applets customized for execution 

3 within each such bounded network domain; and 

4 an applet request module receiving the applet from the applet database and 

5 installing the applet into the Web browser prior to broadcasting the query 

6 message. 

1 8. A system according to Claim 7, wherein the applet is received in a 

2 secure session. 

1 9. A system according to Claim 1, further comprising: 

2 a message queue storing instructions for the applet, comprising sending at 

3 least one of the query message and the configuration packet. 



10. A system according to Claim 1, further comprising: 
a packet generator storing into the configuration packet values comprising 
at least one of hostname, domain, internet protocol address, netmask, gateway, 



4 primary domain name server, and secondary domain name 



server. 



1 11. A system according to Claim 1, wherein the bounded network 

2 domain is compliant with the TCP/IP and the configuration packet is compliant 

3 with the UDP. 

1 12. A method for providing Web browser-based remote network 

2 appliance configuration in a distributed computing environment, comprising: 
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3 broadcasting a query message from an applet executing within a Web 

4 browser to one or more network appliances, interconnected within a bounded 

5 network domain defined by a common network address space; 

6 processing a response message containing network settings, including a 

7 physical network address, received by the applet from at least one such network 

8 appliance responsive to the query message; and 

9 generating and sending a configuration packet using the physical network 

10 address for each at least one such network appliance sending a response message 

11 and requiring configuration. 

1 13. A method according to Claim 12, further comprising: 

2 updating a list of the network appliances for each at least one such 

3 network appliance sending a response message and not requiring configuration. 

1 14. A method according to Claim 12, further comprising: 

2 receiving a status message from each at least one such network appliance 
requiring configuration responsive to receipt of the configuration packet. 



3 



1 15. A method according to Claim 14, wherein the status message 

2 indicates a successful configuration, further comprising: 

3 sending a kickstart message to each at least one such network appliance to 

4 initiate an autonomous management session. 

1 16. A method according to Claim 14, wherein the status message 

2 indicates an unsuccessful configuration, further comprising: 

3 reseiiding the configuration packet to the at least one such network 

4 appliance. 

1 17. A method according to Claim 14, wherein the status message 

2 indicates an on-going configuration, further comprising: 

3 waiting for completion of configuration by the at least one such network 

4 appliance. 

1 18. A method according to Claim 12, further comprising: 
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2 receiving the applet from an applet database storing a plurality of applets 

3 customized for execution within each such bounded network domain; and 
installing the applet into the Web browser prior to broadcasting the query 



4 

5 message 



1 19. A method according to Claim 18, further comprising: 

2 receiving the applet in a secure session. 



1 



20. A method according to Claim 12, further comprising: 

2 sending at least one of the query message and the configuration packet 

3 from the applet responsive to instructions maintained in a message queue. 

1 21 . A method according to Claim 12, further comprising: 

2 storing into the configuration packet values comprising at least one of 

3 hostname, domain, internet protocol address, netmask, gateway, primary domain 

4 name server, and secondary domain name server. 

1 22. A method according to Claim 12, wherein the bounded network 

2 domain is compliant with the TCP/IP and the configuration packet is compliant 

3 with the UDP. 

1 23. A computer-readable storage medium holding code for performing 

2 the method according to Claims 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, or 22. 

1 24. A system for remotely configuring a network appliance deployed 

2 within a distributed computing environment, comprising: 

3 at least one network appliance sending a response message containing 

4 network settings responsive to a query message broadcast over a specified 
network domain within which the at least one network appliance operates; 



5 



6 a configuration client generating a configuration package for the at least 



7 



one network appliance and containing centrally managed network settings 

8 customized for the at least one network appliance; and 

9 a bootstrap module on the at least one network appliance installing the 
10 configuration package as part of an initialization bootstrap operation. 
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1 25 . A system according to Claim 24, further comprising: 

2 a centrally managed library of configurations containing network settings 

3 for each such network appliance operating with the specified network domain. 

1 26. A system according to Claim 24, further comprising: 

2 a library of applets for one or more Web browser-based configuration 

3 clients operating within the specified network domain. 

1 27. A system according to Claim 26, further comprising: 

2 an applet server deploying one such applet from the library to each such 

3 configuration client using a secure session. 

1 28. A system according to Claim 24, further comprising: 

2 a standardized user interface exported by the configuration client and 

3 providing configuration controls for a heterogeneous set of the network 

4 appliances. I 

1 29. A system according to Claim 24, further comprising: 

2 a package generator including at least one of a timestamp and a unique 

3 seed value in each such configuration package. 

1 30. A system according to Claim 24, further comprising: 

2 a completion module sending a message comprising one of success, 

3 failure and unconfigured following configuration package installation at each 

4 such network appliance. 

1 3 1. A system according to Claim 24, further comprising: 

2 a status daemon initializing a secure management session following 

3 successful configuration package installation on at least one such network 

4 appliance. 

1 32. A system according to Claim 24, wherein at least one such network 

2 appliance performs one of electronic mail anti-virus scanning, content filtering, 

3 packet routing, and file, Web and print servicing. 
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1 33. A system according to Claim 24, wherein the distributed 

2 computing environment is TCP/IP-compliant. 

1 34. A method for remotely configuring a network appliance deployed 

2 within a distributed computing environment, comprising: 

3 sending a response message containing network settings from at least one 

4 network appliance responsive to a query message broadcast over a specified 

5 network domain within which the at least one network appliance operates; 

6 generating a configuration package for the at least one network appliance 

7 and containing centrally managed network settings customized for the at least one 

8 network appliance; and 

9 installing the configuration package on the at least one network appliance 
10 as part of an initialization bootstrap operation. 

1 35. A method according to Claim 34, further comprising: 

2 centrally managing a library of configurations containing network settings 

3 for each such network appliance operating with the specified network domain. 

1 36. A method according to Claim 34, further comprising: 

2 maintaining a library of applets for one or more Web browser-based 

3 configuration clients operating within the specified network domain. 

1 37. A method according to Claim 36, further comprising: 

2 deploying one such applet from the library to each such configuration 

3 client using a secure session. 

1 38. A method according to Claim 34, further comprising: 

2 exporting a standardized user interface providing configuration controls 

3 for a heterogeneous set of the network appliances. 

1 39. A method according to Claim 34, further comprising: 

2 including at least one of a timestamp and a unique seed value in each such 

3 configuration package. 
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40. A method according to Claim 34, further comprising: 
sending a message comprising one of success, failure and unconfigured 

following configuration package installation at each such network appliance. 

41 . A method according to Claim 34, further comprising: 
initializing a secure management session following successful 

configuration package installation on at least one such network appliance. 

42. A method according to Claim 34, wherein at least one such 
network appliance performs one of electronic mail anti-virus scanning, content 
filtering, packet routing, and file, Web and print servicing. 

43. A method according to Claim 34, wherein the distributed 
computing environment is TCP/IP-compliant. 

44. A computer-readable storage medium holding code for performing 
the method according to Claims 34, 35, 36, 37, 38, 39, 40, 41, 42, or 43. 
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SYSTEM AND METHOD FOR PROVIDING WEB BROWSER-BASED 
SECURE REMOTE NETWORK APPLIANCE CONFIGURATION IN A 
DISTRIBUTED COMPUTING ENVIRONMENT 

Abstract 

A system and method for providing Web browser-based remote network 
appliance configuration in a distributed computing environment is described. A 
query message is broadcast from an applet executing within a Web browser to om 
or more network appliances. The network appliances are interconnected within a 
bounded network domain defined by a common network address space. A 
response message containing network settings, including a physical network 
address, is received by the applet from at least one such network appliance 
responsive to the query message and processed. A configuration packet is 
generated and sent using the physical network address for each at least one such 
network appliance sending a response message and requiring configuration. 
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